Cyber Resilience

CVE-2026-3725

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3725 is a medium-severity Incomplete Filtering of Special Elements (CWE-791) vulnerability in Lab1024 Smartadmin. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3725 is a server-side template injection (SSTI) vulnerability in the 1024-lab/lab1024 SmartAdmin application, affecting versions up to 3.29. The flaw resides in the freemarkerResolverContent function within the file sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java, part of the FreeMarker Template Handler component. It stems from improper neutralization of special elements used in a template engine (CWE-791, CWE-1336), triggered by manipulating the template_content argument.

The vulnerability allows remote exploitation by low-privileged users (PR:L), with no need for user interaction (UI:N) and low attack complexity (AC:L). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers with access to manipulate email template content could inject malicious FreeMarker templates to execute arbitrary code or access sensitive data within the application's context.

Advisories from VulDB and a Notion page detail the SSTI in SmartAdmin's email template rendering but report no patches or mitigations, as the vendor was contacted early without response. Security practitioners should upgrade to newer versions if available, sanitize template inputs, or disable dynamic template rendering in MailService.

An exploit has been publicly disclosed and may be in use, increasing the urgency for affected deployments to assess exposure.

EU & UK References

Vulnerability details

A flaw has been found in 1024-lab/lab1024 SmartAdmin up to 3.29. Affected by this issue is the function freemarkerResolverContent of the file sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java of the component FreeMarker Template Handler. Executing a manipulation of the argument template_content can lead to improper…

more

neutralization of special elements used in a template engine. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

SSTI in remote email template handler directly enables exploitation of public-facing app for arbitrary code execution (T1190) via injected template content interpreted at runtime (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21449Shared CWE-1336
CVE-2025-53833Shared CWE-1336
CVE-2026-34906Shared CWE-1336
CVE-2026-41713Shared CWE-1336
CVE-2024-57177Shared CWE-1336
CVE-2024-54954Shared CWE-1336
CVE-2026-47323Shared CWE-791
CVE-2026-22244Shared CWE-1336
CVE-2026-28783Shared CWE-1336
CVE-2026-25526Shared CWE-1336

Affected Assets

lab1024
smartadmin
≤ 3.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted template_content before it reaches the FreeMarker engine, blocking the SSTI payload.

prevent

Enforces access restrictions on the MailService.freemarkerResolverContent function so only authorized subjects can supply template_content.

prevent

Allows disabling or restricting dynamic FreeMarker template processing in the mail component, eliminating the attack surface.

References