Cyber Posture

CVE-2026-3725

MediumPublic PoC

Published: 08 March 2026

Published
08 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 15.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3725 is a medium-severity Incomplete Filtering of Special Elements (CWE-791) vulnerability in Lab1024 Smartadmin. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

SSTI in remote email template handler directly enables exploitation of public-facing app for arbitrary code execution (T1190) via injected template content interpreted at runtime (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in 1024-lab/lab1024 SmartAdmin up to 3.29. Affected by this issue is the function freemarkerResolverContent of the file sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java of the component FreeMarker Template Handler. Executing a manipulation of the argument template_content can lead to improper…

more

neutralization of special elements used in a template engine. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-3725 is a server-side template injection (SSTI) vulnerability in the 1024-lab/lab1024 SmartAdmin application, affecting versions up to 3.29. The flaw resides in the freemarkerResolverContent function within the file sa-base/src/main/java/net/lab1024/sa/base/module/support/mail/MailService.java, part of the FreeMarker Template Handler component. It stems from improper neutralization of special elements used in a template engine (CWE-791, CWE-1336), triggered by manipulating the template_content argument.

The vulnerability allows remote exploitation by low-privileged users (PR:L), with no need for user interaction (UI:N) and low attack complexity (AC:L). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers with access to manipulate email template content could inject malicious FreeMarker templates to execute arbitrary code or access sensitive data within the application's context.

Advisories from VulDB and a Notion page detail the SSTI in SmartAdmin's email template rendering but report no patches or mitigations, as the vendor was contacted early without response. Security practitioners should upgrade to newer versions if available, sanitize template inputs, or disable dynamic template rendering in MailService.

An exploit has been publicly disclosed and may be in use, increasing the urgency for affected deployments to assess exposure.

Details

CWE(s)
CWE-791CWE-1336

Affected Products

lab1024
smartadmin
≤ 3.29

CVEs Like This One

CVE-2025-1040Shared CWE-1336
CVE-2024-54954Shared CWE-1336
CVE-2025-53833Shared CWE-1336
CVE-2024-57177Shared CWE-1336
CVE-2026-21449Shared CWE-1336
CVE-2026-22244Shared CWE-1336
CVE-2026-28783Shared CWE-1336
CVE-2026-25526Shared CWE-1336
CVE-2025-49828Shared CWE-1336
CVE-2026-34587Shared CWE-1336

References