CVE-2026-2969
Published: 23 February 2026
Summary
CVE-2026-2969 is a medium-severity Incomplete Filtering of Special Elements (CWE-791) vulnerability in Datapizza Datapizza Ai. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2969 is a server-side template injection (SSTI) vulnerability in the datapizza-labs datapizza-ai version 0.0.2. The flaw affects the ChatPromptTemplate function within the file datapizza-ai-core/datapizza/modules/prompt/prompt.py, specifically in the Jinja2 Template Handler component. Manipulation of the Prompt argument leads to improper neutralization of special elements used in the template engine, as classified under CWE-791 and CWE-1336. The vulnerability was published on 2026-02-23 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by attackers with high privileges (PR:H), requiring network access but low attack complexity and no user interaction. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data, and denial of service. An exploit has been publicly disclosed, increasing the risk of active use.
Advisories from VulDB and the hacktivesec GitHub disclosure detail the issue, including a proof-of-concept (POC) for SSTI exploitation. The vendor was contacted early but provided no response, and no patches or mitigations are mentioned in the available references.
Notably, a public exploit is available via the disclosure repository, and the affected software's AI context—handling chat prompt templates—highlights relevance to AI/ML prompt engineering pipelines using Jinja2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7585
Vulnerability details
A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template…
more
engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability in Jinja2 template handler directly matches T1221 (Template Injection); remote network exploitability of the public-facing AI service application matches T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted Prompt input before it reaches the Jinja2 template engine, blocking the SSTI payload.
Enforces least-privilege restrictions so that only the minimal set of accounts can reach the vulnerable ChatPromptTemplate function, reducing the PR:H attack surface.
Enforces access-control policy on the prompt-handling component, preventing unauthorized or overly broad use of the template handler.