Improperly Controlled Modification of Dynamically-Determined Object Attributes Affecting scriban package, versions [,7.2.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-SCRIBAN-17824432
  • published6 Jul 2026
  • disclosed6 Jul 2026
  • creditCyberWarrior9

Introduced: 6 Jul 2026

New CVE NOT AVAILABLE CWE-284  (opens in a new tab)
CWE-915  (opens in a new tab)

How to fix?

Upgrade Scriban to version 7.2.2 or higher.

Overview

Scriban is a

Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates.

Today, not only Scriban can be used in text templating scenarios, but also can be integrated as a general scripting engine: For example, Scriban is at the core of the scripting engine for kalk, a command line calculator application for developers.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the TypedObjectAccessor process. An attacker can modify properties of CLR objects, including those with restricted setters such as private, internal, or init accessors, by submitting crafted template code that assigns values to these properties. This can result in unauthorized changes to application state or escalation of privileges.

CVSS Base Scores

version 4.0
version 3.1