Cyber Resilience

CVE-2026-2969

MediumPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2969 is a medium-severity Incomplete Filtering of Special Elements (CWE-791) vulnerability in Datapizza Datapizza Ai. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2969 is a server-side template injection (SSTI) vulnerability in the datapizza-labs datapizza-ai version 0.0.2. The flaw affects the ChatPromptTemplate function within the file datapizza-ai-core/datapizza/modules/prompt/prompt.py, specifically in the Jinja2 Template Handler component. Manipulation of the Prompt argument leads to improper neutralization of special elements used in the template engine, as classified under CWE-791 and CWE-1336. The vulnerability was published on 2026-02-23 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation by attackers with high privileges (PR:H), requiring network access but low attack complexity and no user interaction. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data, and denial of service. An exploit has been publicly disclosed, increasing the risk of active use.

Advisories from VulDB and the hacktivesec GitHub disclosure detail the issue, including a proof-of-concept (POC) for SSTI exploitation. The vendor was contacted early but provided no response, and no patches or mitigations are mentioned in the available references.

Notably, a public exploit is available via the disclosure repository, and the affected software's AI context—handling chat prompt templates—highlights relevance to AI/ML prompt engineering pipelines using Jinja2.

EU & UK References

Vulnerability details

A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template…

more

engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

SSTI vulnerability in Jinja2 template handler directly matches T1221 (Template Injection); remote network exploitability of the public-facing AI service application matches T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2970Same product: Datapizza Datapizza Ai
CVE-2026-21450Shared CWE-1336
CVE-2025-68454Shared CWE-1336
CVE-2025-14700Shared CWE-1336
CVE-2026-27629Shared CWE-1336
CVE-2025-68929Shared CWE-1336
CVE-2025-60355Shared CWE-1336
CVE-2025-67843Shared CWE-1336
CVE-2026-28695Shared CWE-1336
CVE-2026-1868Shared CWE-1336

Affected Assets

datapizza
datapizza ai
0.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted Prompt input before it reaches the Jinja2 template engine, blocking the SSTI payload.

prevent

Enforces least-privilege restrictions so that only the minimal set of accounts can reach the vulnerable ChatPromptTemplate function, reducing the PR:H attack surface.

prevent

Enforces access-control policy on the prompt-handling component, preventing unauthorized or overly broad use of the template handler.

References