{"id":"CVE-2025-1087","details":"Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application.","modified":"2026-04-10T05:25:25.291782Z","published":"2025-05-09T12:15:32.913Z","references":[{"type":"PACKAGE","url":"https://github.com/Kong/insomnia"},{"type":"ARTICLE","url":"https://tantosec.com/blog/2025/06/insomnia-api-client-template-injection/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Kong/insomnia","events":[{"introduced":"0"},{"fixed":"ba27b3206d168761bfc5c316b704ce3cd46e645b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"11.0.2"}]}}],"versions":["core@11.0.0-alpha.3","core@11.0.1-alpha.0","core@2020.1.0-beta.3","core@2020.2.0","core@2020.2.1","core@2020.2.2","core@2020.4.0-beta.4","core@2021.1.0","core@2021.1.0-alpha.1","core@2021.1.0-alpha.2","designer@2020.1.0","designer@2020.1.0-beta.3","designer@2020.1.1","designer@2020.1.2","designer@2020.1.3","designer@2020.1.4-test.1","designer@2020.2.0","designer@2020.2.2","designer@2020.3.0-alpha.3","designer@2020.3.0-alpha.4","designer@2020.4.0-beta.4","insomnia-app@1.0.13","insomnia-app@1.0.14","insomnia-app@1.0.15","insomnia-app@1.0.16","insomnia-app@1.0.18","insomnia-app@1.0.19","insomnia-app@1.0.20","insomnia-app@1.0.21","insomnia-app@1.0.22","insomnia-app@1.0.23","insomnia-app@1.0.24","insomnia-app@1.0.25","insomnia-app@1.0.26","insomnia-app@1.0.27","insomnia-app@1.0.31","insomnia-app@1.0.32","insomnia-app@1.0.33","insomnia-app@1.0.34","insomnia-app@1.0.35","insomnia-app@1.0.36","insomnia-app@1.0.37","insomnia-app@1.0.38","insomnia-app@1.0.39","insomnia-app@1.0.40","insomnia-app@1.0.46","insomnia-app@1.0.47","insomnia-app@1.0.48","insomnia-app@1.1.0","insomnia-app@1.1.12","insomnia-app@1.1.13","insomnia-app@1.1.14","insomnia-app@1.1.15","insomnia-app@1.1.2","insomnia-app@1.1.3","insomnia-app@1.1.4","insomnia-app@1.1.5","insomnia-app@1.1.6","insomnia-app@1.1.7","insomnia-app@1.1.8","insomnia-cookies@0.0.11","insomnia-cookies@0.0.13","insomnia-cookies@0.0.15","insomnia-cookies@0.0.16","insomnia-cookies@0.0.17","insomnia-cookies@0.0.21","insomnia-cookies@0.0.22","insomnia-cookies@0.0.5","insomnia-cookies@0.0.6","insomnia-cookies@0.0.7","insomnia-httpsnippet@1.16.10","insomnia-httpsnippet@1.16.11","insomnia-httpsnippet@1.16.12","insomnia-httpsnippet@1.16.16","insomnia-httpsnippet@1.16.17","insomnia-httpsnippet@1.16.19","insomnia-httpsnippet@1.16.21","insomnia-httpsnippet@1.16.8","insomnia-httpsnippet@1.16.9","insomnia-importers@2.0.1","insomnia-importers@2.0.10","insomnia-importers@2.0.11","insomnia-importers@2.0.12","insomnia-importers@2.0.14","insomnia-importers@2.0.16","insomnia-importers@2.0.17","insomnia-importers@2.0.18","insomnia-importers@2.0.19","insomnia-importers@2.0.20","insomnia-importers@2.0.24","insomnia-importers@2.0.25","insomnia-importers@2.0.26","insomnia-importers@2.0.3","insomnia-importers@2.0.4","insomnia-importers@2.0.5","insomnia-importers@2.0.6","insomnia-libcurl@0.0.10","insomnia-libcurl@0.0.12","insomnia-libcurl@0.0.13","insomnia-libcurl@0.0.14","insomnia-libcurl@0.0.15","insomnia-libcurl@0.0.16","insomnia-libcurl@0.0.22","insomnia-libcurl@0.0.24","insomnia-libcurl@0.0.26","insomnia-libcurl@0.0.27","insomnia-libcurl@0.0.28","insomnia-libcurl@0.0.32","insomnia-libcurl@0.0.33","insomnia-libcurl@0.0.4","insomnia-libcurl@0.0.5","insomnia-libcurl@0.0.6","insomnia-libcurl@0.0.7","insomnia-libcurl@0.0.8","insomnia-libcurl@0.0.9","insomnia-plugin-base64@1.0.10","insomnia-plugin-base64@1.0.13","insomnia-plugin-base64@1.0.4","insomnia-plugin-base64@1.0.5","insomnia-plugin-base64@1.0.7","insomnia-plugin-base64@1.0.9","insomnia-plugin-cookie-jar@1.0.1","insomnia-plugin-cookie-jar@1.0.11","insomnia-plugin-cookie-jar@1.0.12","insomnia-plugin-cookie-jar@1.0.13","insomnia-plugin-cookie-jar@1.0.14","insomnia-plugin-cookie-jar@1.0.15","insomnia-plugin-cookie-jar@1.0.19","insomnia-plugin-cookie-jar@1.0.2","insomnia-plugin-cookie-jar@1.0.20","insomnia-plugin-cookie-jar@1.0.6","insomnia-plugin-cookie-jar@1.0.7","insomnia-plugin-cookie-jar@1.0.9","insomnia-plugin-core-themes@1.0.12","insomnia-plugin-core-themes@1.0.13","insomnia-plugin-core-themes@1.0.4","insomnia-plugin-core-themes@1.0.6","insomnia-plugin-core-themes@1.0.8","insomnia-plugin-core-themes@1.0.9","insomnia-plugin-default-headers@1.1.10","insomnia-plugin-default-headers@1.1.11","insomnia-plugin-default-headers@1.1.14","insomnia-plugin-default-headers@1.1.6","insomnia-plugin-default-headers@1.1.7","insomnia-plugin-default-headers@1.1.8","insomnia-plugin-file@1.0.10","insomnia-plugin-file@1.0.11","insomnia-plugin-file@1.0.14","insomnia-plugin-file@1.0.4","insomnia-plugin-file@1.0.6","insomnia-plugin-file@1.0.8","insomnia-plugin-hash@1.0.10","insomnia-plugin-hash@1.0.11","insomnia-plugin-hash@1.0.14","insomnia-plugin-hash@1.0.4","insomnia-plugin-hash@1.0.5","insomnia-plugin-hash@1.0.6","insomnia-plugin-hash@1.0.8","insomnia-plugin-jsonpath@1.0.1","insomnia-plugin-jsonpath@1.0.10","insomnia-plugin-jsonpath@1.0.11","insomnia-plugin-jsonpath@1.0.13","insomnia-plugin-jsonpath@1.0.15","insomnia-plugin-jsonpath@1.0.16","insomnia-plugin-jsonpath@1.0.17","insomnia-plugin-jsonpath@1.0.18","insomnia-plugin-jsonpath@1.0.2","insomnia-plugin-jsonpath@1.0.22","insomnia-plugin-jsonpath@1.0.23","insomnia-plugin-jsonpath@1.0.3","insomnia-plugin-jsonpath@1.0.4","insomnia-plugin-jsonpath@1.0.5","insomnia-plugin-jsonpath@1.0.6","insomnia-plugin-now@1.0.10","insomnia-plugin-now@1.0.12","insomnia-plugin-now@1.0.14","insomnia-plugin-now@1.0.15","insomnia-plugin-now@1.0.16","insomnia-plugin-now@1.0.20","insomnia-plugin-now@1.0.21","insomnia-plugin-now@1.0.4","insomnia-plugin-now@1.0.5","insomnia-plugin-now@1.0.6","insomnia-plugin-os@1.0.12","insomnia-plugin-os@1.0.14","insomnia-plugin-os@1.0.16","insomnia-plugin-os@1.0.17","insomnia-plugin-os@1.0.18","insomnia-plugin-os@1.0.22","insomnia-plugin-os@1.0.23","insomnia-plugin-os@1.0.5","insomnia-plugin-os@1.0.6","insomnia-plugin-os@1.0.7","insomnia-plugin-os@1.0.8","insomnia-plugin-prompt@1.0.8","insomnia-plugin-prompt@1.0.9","insomnia-plugin-prompt@1.1.1","insomnia-plugin-prompt@1.1.10","insomnia-plugin-prompt@1.1.12","insomnia-plugin-prompt@1.1.13","insomnia-plugin-prompt@1.1.14","insomnia-plugin-prompt@1.1.15","insomnia-plugin-prompt@1.1.18","insomnia-plugin-prompt@1.1.2","insomnia-plugin-prompt@1.1.3","insomnia-plugin-prompt@1.1.4","insomnia-plugin-prompt@1.1.5","insomnia-plugin-prompt@1.1.6","insomnia-plugin-prompt@1.1.8","insomnia-plugin-request@1.0.10","insomnia-plugin-request@1.0.11","insomnia-plugin-request@1.0.12","insomnia-plugin-request@1.0.16","insomnia-plugin-request@1.0.17","insomnia-plugin-request@1.0.19","insomnia-plugin-request@1.0.21","insomnia-plugin-request@1.0.22","insomnia-plugin-request@1.0.23","insomnia-plugin-request@1.0.24","insomnia-plugin-request@1.0.28","insomnia-plugin-request@1.0.29","insomnia-plugin-request@1.0.6","insomnia-plugin-request@1.0.8","insomnia-plugin-request@1.0.9","insomnia-plugin-response@1.0.10","insomnia-plugin-response@1.0.14","insomnia-plugin-response@1.0.15","insomnia-plugin-response@1.0.17","insomnia-plugin-response@1.0.19","insomnia-plugin-response@1.0.20","insomnia-plugin-response@1.0.21","insomnia-plugin-response@1.0.22","insomnia-plugin-response@1.0.23","insomnia-plugin-response@1.0.24","insomnia-plugin-response@1.0.28","insomnia-plugin-response@1.0.29","insomnia-plugin-response@1.0.7","insomnia-plugin-response@1.0.8","insomnia-plugin-response@1.0.9","insomnia-plugin-uuid@1.0.11","insomnia-plugin-uuid@1.0.13","insomnia-plugin-uuid@1.0.14","insomnia-plugin-uuid@1.0.15","insomnia-plugin-uuid@1.0.19","insomnia-plugin-uuid@1.0.20","insomnia-plugin-uuid@1.0.4","insomnia-plugin-uuid@1.0.5","insomnia-plugin-uuid@1.0.9","insomnia-prettify@0.1.10","insomnia-prettify@0.1.11","insomnia-prettify@0.1.14","insomnia-prettify@0.1.3","insomnia-prettify@0.1.4","insomnia-prettify@0.1.5","insomnia-prettify@0.1.6","insomnia-prettify@0.1.8","insomnia-url@0.1.10","insomnia-url@0.1.13","insomnia-url@0.1.3","insomnia-url@0.1.5","insomnia-url@0.1.7","insomnia-url@0.1.9","insomnia-xpath@1.0.1","insomnia-xpath@1.0.10","insomnia-xpath@1.0.12","insomnia-xpath@1.0.13","insomnia-xpath@1.0.14","insomnia-xpath@1.0.18","insomnia-xpath@1.0.19","insomnia-xpath@1.0.2","insomnia-xpath@1.0.3","insomnia-xpath@1.0.4","insomnia-xpath@1.0.8","lib@2.2.10","lib@2.2.11","lib@2.2.12","lib@2.2.13","lib@2.2.14","lib@2.2.15","lib@2.2.16","lib@2.2.17","lib@2.2.18","lib@2.2.19","lib@2.2.2","lib@2.2.20","lib@2.2.21","lib@2.2.29","lib@2.2.3","lib@2.2.30","lib@2.2.36-beta","lib@2.2.4","lib@2.2.6","lib@2.2.8","list","pkg-v2.1.2","pkg-v2.1.3","pkg-v2.1.4","pkg-v2.1.5","pkg-v2.1.6","test-13","v2.1.0","v2.1.1","v3.0.11","v3.0.12","v3.2.2","v3.2.3","v4.0.0","v5.0.0","v5.0.1","v5.0.12","v5.0.2","v5.0.20","v5.0.3","v5.0.4","v5.0.5","v5.10.1","v5.11.0","v5.11.5","v5.11.7","v5.12.0","v5.12.0-beta.2","v5.12.0-beta.3","v5.12.1","v5.12.3","v5.12.4","v5.12.4-beta.2","v5.14.3","v5.14.6","v5.14.7","v5.14.8","v5.14.9","v5.15.0","v5.16.0","v5.16.1","v5.16.1-2","v5.16.2","v5.16.4","v5.16.5","v5.16.6","v5.2.0","v5.3.0","v5.3.3","v5.3.6","v5.4.0","v5.5.2","v5.6.1","v5.6.3","v5.7.0","v5.7.10","v5.7.11","v5.7.12","v5.7.14","v5.7.4","v5.7.9","v5.8.2","v5.8.3","v5.8.4","v5.9.0","v5.9.2","v5.9.6","v6.0.0","v6.0.0-beta.1","v6.0.0-beta.2","v6.0.1","v6.0.2","v6.0.3-beta.1","v6.2.0","v6.2.3","v6.3.0","v6.3.1","v6.3.2","v6.4.0","v6.4.1","v6.4.2","v6.5.0","v6.5.1","v6.5.3","v6.5.4","v6.6.0","v7.0.4","v7.0.4-beta.4","v7.0.4-beta.5","v7.0.4-beta.6","v7.0.5","v7.0.6","v7.1.0","v7.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1087.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}