QwikSec

Security Database

CVE

CWE

Training

CVE-2026-29514

Published: May 4, 2026

Modified: May 21, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.

Vendor	Product	Versions
netbox-community	netbox	affected `4.3.5 - <= 4.5.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://chocapikk.com/posts/2026/netbox-export-template-rce/

technical-description

exploit

https://github.com/netbox-community/netbox/issues/22079

issue-tracking

https://github.com/netbox-community/netbox/pull/22078

issue-tracking

https://github.com/netbox-community/netbox/pull/22170

issue-tracking

https://github.com/netbox-community/netbox/releases/tag/v4.6.1

release-notes

https://github.com/netbox-community/netbox/commit/d124c5fe86e12aad61285133c0caf16adcda8f2e

patch

https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.