What Is Server-Side Template Injection (SSTI)?
Server-side template injection (SSTI) is a vulnerability where user input is embedded into a server-side template and evaluated as template code rather than treated as data. Because template engines can execute expressions, SSTI often escalates to remote code execution. It is a classic case of untrusted input reaching a powerful evaluation sink.

What is server-side template injection?
Server-side template injection happens when an application takes user input and places it directly into a server-side template that is then evaluated by a template engine. Template engines exist to turn templates into output by evaluating the expressions inside them. When attacker-controlled input becomes part of the template itself, rather than data passed into it, the attacker can write expressions the engine will run.
The distinction that matters is data versus template. Passing user input into a template as a value is safe. Concatenating user input into the template string that the engine parses is not. SSTI is what happens when the second occurs.
How SSTI leads to remote code execution
Template engines are more powerful than they look. Many can read object attributes, call methods, and reach language built-ins from inside an expression. An attacker who can inject template syntax first confirms the engine is evaluating their input, then walks from a harmless expression to one that reaches a dangerous function. In many engines that path ends at process execution, which turns SSTI into remote code execution.
This is why SSTI is rated so severe. It is not only about leaking a template variable. It is a foothold that frequently escalates to running code on the server.
Where SSTI shows up
SSTI appears wherever applications build templates dynamically from user input: email and document generation, customizable dashboards or reports, marketing tools that let users define content, and any feature that lets input influence the template rather than only its data. It affects common engines across languages, and framework-level cases turn up regularly in disclosed CVEs. For real examples, see the CVE archive.
How SSTI differs from cross-site scripting
SSTI and cross-site scripting (XSS) both come from unsanitized input meeting a rendering step, but they execute in different places. XSS runs in the victim's browser. SSTI runs on the server, inside the template engine, which is why its worst case is server-side code execution rather than client-side script. Confusing the two leads teams to apply output-encoding fixes that do nothing for a server-side evaluation problem.
How to prevent and detect SSTI
Prevention starts with never building templates from user input. Pass user data as bound variables into a fixed template; do not concatenate it into the template source. Where user-defined templates are a genuine requirement, use a sandboxed or logic-less engine and restrict what expressions can reach. Input validation helps but is not sufficient on its own, because template syntax is broad.
Detection matters because SSTI is easy to introduce and its escalation to code execution can be subtle. Since a successful SSTI ends in code running on the server, runtime intelligence confirms whether a suspected SSTI path is actually reachable and executing, and application detection and response catches the moment an injected expression turns into a real code-execution event. Prioritize by reachability, then defend at runtime.
Frequently Asked Questions
SSTI is a vulnerability where user input is embedded into a server-side template and evaluated as template code rather than treated as data, letting an attacker run expressions in the template engine.
Template engines can access object methods and language built-ins from inside expressions. An attacker who injects template syntax can often walk from a simple expression to one that reaches process execution, escalating SSTI to RCE.
Both come from unsanitized input meeting rendering, but XSS executes in the victim's browser while SSTI executes on the server inside the template engine. SSTI's worst case is server-side code execution.
Never build templates from user input. Pass user data as bound variables into fixed templates rather than concatenating it into the template source, and use a sandboxed engine where user-defined templates are required.
Because successful SSTI ends in code running on the server, runtime intelligence confirms whether the path is reachable and executing, and application detection and response flags the moment an injected expression becomes a real code-execution event.
Related blogs

What is an LLM Jailbreak?
An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.
4
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.



