Skip to main content

hunt-ssti

Detects server-side template injection vulnerabilities across various templating engines, enabling escalation to remote code execution.

Install this skill

or
33/100

Security score

The hunt-ssti skill was audited on Jun 10, 2026 and we found 7 security issues across 3 threat categories, including 1 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 48

Direct command execution function call

SourceSKILL.md
48- **`hunt-file-upload`** — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose `word/document.xml` c
medium line 10

Template literal with variable interpolation in command context

SourceSKILL.md
10```
high line 45

Template literal with variable interpolation in command context

SourceSKILL.md
45- **`hunt-rce`** — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 `{{config.__class__.__init__.__glob
high line 48

Template literal with variable interpolation in command context

SourceSKILL.md
48- **`hunt-file-upload`** — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose `word/document.xml` c
low line 27

Access to .env file

SourceSKILL.md
27{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
medium line 49

Access to .env file

SourceSKILL.md
49- **`security-arsenal`** — Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (`__subclasses__()[N]` index hunting), Twig `_self.env` registerUndefinedFilterCallback, Free
low line 47

External URL reference

SourceSKILL.md
47- **`hunt-ssrf`** — Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig `{{ include('http://169.254.169.254/latest/meta
Scanned on Jun 10, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
frontenddocxapitestingbackendsecurity-engineerbackend-developerdevops-sredevelopment
elementalsouls/Claude-BugHunter