Cyber Resilience

CVE-2024-37301

High

Published: 11 June 2024

Published
11 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0560 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37301 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Document Merge Service, a document template merge service that exposes an API for managing templates and performing merges, is affected by a server-side template injection vulnerability in versions 6.5.1 and earlier. The flaw, tracked as CVE-2024-37301 and assigned CWE-1336, permits remote code execution; when the service runs as root this can yield complete control of the underlying system. The issue carries a CVSS 3.1 base score of 7.2.

An attacker must possess high privileges on the service (PR:H) to supply a malicious template through the management API. Successful exploitation results in arbitrary code execution on the server, enabling full system takeover without any user interaction or additional network-adjacent access.

Public advisories and the referenced GitHub security notice state that, at the time of disclosure, no patched release existed and no workarounds had been identified. The EPSS score remains low, with a current value of 0.0560 and a peak of 0.0780.

EU & UK References

Vulnerability details

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root,…

more

can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References