HCE2-SA-2025-0200 Important HCE 2.0 Security Fix(es): Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja_x27;s sandbox does catch calls to str.format and ensures they don_x27;t escape the sandbox. However, it_x27;s possible to use the |attr filter to get a reference to a string_x27;s plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment_x27;s attribute lookup. This vulnerability is fixed in 3.1.6. (CVE-2025-27516) HCE 2.0 python3-jinja2-3.0.3-1.r6.hce2.noarch.rpm python-jinja2-help-3.0.3-1.r6.hce2.noarch.rpm