Security: scriban/scriban
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)GHSA-7jvp-hj45-2f2m published
May 30, 2026 by xoofxModerate -
array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx; affects 3.0.0 through 7.2.0GHSA-q6rr-fm2g-g5x8 published
May 24, 2026 by xoofxLow -
ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p)GHSA-6q7j-xr26-3h2c published
May 24, 2026 by xoofxModerate -
array.insert_at index parameter DoS bypasses LoopLimit and LimitToStringGHSA-24c8-4792-22hx published
May 12, 2026 by xoofxModerate -
Multiple Denial-of-Service Vectors via Unbounded Resource Consumption in Scriban Expression EvaluationGHSA-xw6w-9jjh-p9cr published
Mar 22, 2026 by xoofxModerate -
Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToStringGHSA-m2p3-hwv5-xpqw published
Mar 22, 2026 by xoofxModerate -
Uncontrolled Recursion in `object.to_json` Causes Unrecoverable Process Crash via StackOverflowExceptionGHSA-xcx6-vp38-8hr5 published
Mar 22, 2026 by xoofxHigh -
Uncontrolled Memory Allocation via string.pad_left/pad_right Allows Remote Denial of ServiceGHSA-v66j-x4hw-fv9g published
Mar 22, 2026 by xoofxHigh -
Built-in operations bypass LoopLimit and delay cancellation, enabling denial-of-serviceGHSA-c875-h985-hvrc published
Mar 22, 2026 by xoofxHigh -
TypedObjectAccessor cache bypasses MemberFilter after TemplateContext reuse, leading to sandbox escapeGHSA-5wr9-m6jw-xx44 published
Mar 22, 2026 by xoofxCritical
Learn more about advisories related to scriban/scriban in the GitHub Advisory Database