CVE-2026-41693: Path Traversal Unvalidated Template Interpolation
A str.replace()-based template interpolation returns the substituted value from a data object without path-segment safety validation. When the resulting string is used as a filesystem path and the substituted values originate from user input (e.g. HTTP language or namespace parameters), an attacker can inject path-traversal sequences such as '../../../../etc
greprules fetch cve-2026-41693-path-traversal-unvalidated-template-interpolation --engine opengrepDescription
A str.replace()-based template interpolation returns the substituted value from a data object without path-segment safety validation. When the resulting string is used as a filesystem path and the substituted values originate from user input (e.g. HTTP language or namespace parameters), an attacker can inject path-traversal sequences such as '../../../../etc
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.