How is CVE-2026-0685 exploited?

Network reachability (required): The attacker must reach the Genshi-based service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed. Authentication (not-required): No account or credentials are required; PR:N indicates the attacker can exploit the vulnerability as an anonymous user. Victim interaction (not-required): Exploitation requires no action from any user on the target system; UI:N means the attacker operates entirely on their own. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions.

What is the impact of CVE-2026-0685?

A successful attacker achieves remote code execution and can run arbitrary commands under the process identity of the Genshi service. Confidentiality impact is High: the attacker reads any data accessible to the process, including environment variables, secrets, configuration files, and in-memory credentials. Integrity impact is High: the attacker writes or modifies files, injects data into connected databases, or alters application state on the host. Availability impact is High: the attacker crashes the service, exhausts system resources, or deletes critical files, causing a full outage of the affected workload.

Back to search

CRITICALCVE-2026-0685Published 2026-06-26Modified 2026-06-26CNA certcc

CVE-2026-0685: Server side template inject (SSTI) in Edgewall Genshi Template Engine

Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-side template injection (SSTI) is present in the expression evaluation component of Edgewall Genshi Template Engine version 0.7.9 and earlier. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker full remote code execution on the host running the affected service. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-0685 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of upstream publication, including custom-built images that bundle Genshi. Coverage extends to images in both connected registries and CI/CD pipeline scans.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each customer organization's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer environment.

Available

Patch

Because no fix version has been published for Genshi, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, the finding remains open and flagged at Critical severity within each affected environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Genshi-based service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.
AuthenticationNot required
No account or credentials are required; PR:N indicates the attacker can exploit the vulnerability as an anonymous user.
Victim interactionNot required
Exploitation requires no action from any user on the target system; UI:N means the attacker operates entirely on their own.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions.

Blast Radius

A successful attacker achieves remote code execution and can run arbitrary commands under the process identity of the Genshi service.
Confidentiality impact is High: the attacker reads any data accessible to the process, including environment variables, secrets, configuration files, and in-memory credentials.
Integrity impact is High: the attacker writes or modifies files, injects data into connected databases, or alters application state on the host.
Availability impact is High: the attacker crashes the service, exhausts system resources, or deletes critical files, causing a full outage of the affected workload.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0685 is active and will flag any image containing Genshi 0.7.9 or earlier as Critical the moment the image is scanned or re-evaluated. Because no upstream patch exists, HarborGuard will not yet generate a patched-image rebuild, but the advisory is re-checked on every ingest cycle; for customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be initiated automatically as soon as a fix version is published. While waiting for an upstream patch, compensating controls worth evaluating include network-policy rules that restrict which services can send untrusted input to the Genshi rendering layer, egress filtering to limit what a compromised process can reach, and where the application design allows it, disabling dynamic template expression evaluation through feature-flag or configuration gating. These mitigations do not eliminate the vulnerability but reduce the attack surface while no patch is available.

See how HarborGuard automates this

Affected packages

Edgewall *Genshi* / Genshi
≤ 0.7.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified