What is it about?
Template engines are software components widely used in modern web applications to create dynamic web pages, such as product listings, dashboards, and personalized content. They help developers separate presentation from application logic, which makes development faster and more manageable. However, this convenience can come with serious security risks. This paper studies a specific class of web vulnerabilities known as Server-Side Template Injection (SSTI). SSTI happens when untrusted user input is inserted into a template in an unsafe way, allowing attackers to manipulate how the server processes the template. In the most severe cases, this can lead to Remote Code Execution (RCE), meaning an attacker may run arbitrary commands on the server and potentially take full control of it. To better understand this problem, we analyzed 34 template engines across eight programming languages. We examined how often template engines are used, how SSTI appears in real applications, and why these vulnerabilities can so often lead to code execution. We also reviewed existing research and tools for detecting SSTI, and we identified common weaknesses in current defenses. Our results show that the risk is widespread and still underestimated, highlighting the need for stronger protection methods and more research on preventing code execution in template engines.
Featured Image
Photo by Markus Spiske on Unsplash
Why is it important?
This work is important because template engines are a core building block of modern web applications, yet their security risks are still not well understood. Our study shows that Remote Code Execution is not a rare edge case, but a frequent consequence of template engine misuse and design choices. By systematically analyzing 34 template engines in eight programming languages, we provide one of the broadest assessments of this problem to date. The paper contributes a taxonomy of code execution paths, a classification of protection mechanisms, and a methodology for evaluating the security posture of template engines. It also highlights a major gap in current research: most prior efforts have focused on detecting or exploiting SSTI, while prevention of code execution remains largely overlooked. We hope this work helps researchers, tool developers, and practitioners better understand the threat landscape and motivates the development of more effective defenses for widely deployed web technologies.
Perspectives
This publication grew from the impression that template engines are often treated as routine development tools rather than security-critical components. While SSTI is known in the offensive security community, the broader issue of why template engines so often enable code execution has received much less attention in academic research. I wanted to study this problem in a more systematic way, across different programming languages and implementation styles, to understand whether these risks were isolated or widespread. What stood out most during the work was how common RCE paths still are, even in popular or actively used template engines. This suggests that the problem is not only about isolated bugs, but also about deeper design trade-offs and insufficient defensive models. My hope is that this paper helps shift part of the conversation from exploitation and detection toward prevention, and encourages more research on building template engines that are secure by design.
Lorenzo Pisu
Universita degli Studi di Cagliari
Read the Original
This page is a summary of: An Assessment of the Overlooked Dangers of Template Engines, ACM Transactions on the Web, February 2026, ACM (Association for Computing Machinery),
DOI: 10.1145/3799796.
You can read the full text:
Contributors
The following have contributed to this page
