HCE2-SA-2025-0102 Important HCE 2.0 Security Fix(es): Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja_x27;s sandbox does catch calls to str.format and ensures they don_x27;t escape the sandbox. However, it_x27;s possible to store a reference to a malicious string_x27;s format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. (CVE-2024-56326) HCE 2.0 python3-jinja2-3.0.3-1.r4.hce2.noarch.rpm python-jinja2-help-3.0.3-1.r4.hce2.noarch.rpm