Uncontrolled Recursion Affecting scriban package, versions [,7.0.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-SCRIBAN-15787444
- published26 Mar 2026
- disclosed24 Mar 2026
- creditoffset
Introduced: 24 Mar 2026
New CVE NOT AVAILABLE CWE-674 (opens in a new tab)How to fix?
Upgrade Scriban to version 7.0.0 or higher.
Overview
Scriban is a 
Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates.
Today, not only Scriban can be used in text templating scenarios, but also can be integrated as a general scripting engine: For example, Scriban is at the core of the scripting engine for kalk, a command line calculator application for developers.
Affected versions of this package are vulnerable to Uncontrolled Recursion in the object.to_json function. An attacker can cause the process to terminate unexpectedly by submitting a specially crafted template that triggers unbounded recursion, leading to a StackOverflowException.