Primary

Context

Amidaware Tactical RMM Server-Side Template Injection Vulnerability Allowing Remote Command Execution

Vulnerability

A Server-Side Template Injection (SSTI) vulnerability has been identified in Amidaware Tactical RMM versions through 1.3.1. This vulnerability allows low-privileged users with Report Viewer or Report Manager permissions to execute remote commands on the server. The issue arises in the '/reporting/templates/preview/' endpoint, where improper sanitization of the 'template_md' parameter enables direct injection of Jinja2 templates. Exploitation is made possible by the misuse of the 'generate_html()' function, which inserts user-controlled values into 'env.from_string', allowing arbitrary processing of Jinja2 templates.

Impact

Exploitation of this vulnerability could lead to unauthorized remote command execution on the server, potentially compromising the entire system.

Remediation

Users are advised to update to version 1.4.0.

Added: Jan 29, 2026, 8:23 PM

Updated: Jan 29, 2026, 10:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

2.5

threat

4.3

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

2.5

threat

4.3

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Amidaware Tactical RMM Server-Side Template Injection Vulnerability Allowing Remote Command Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating