Property
Language
Severity
CWE	CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code builds HTML templates using string formatting (like .format(), %, or f-strings) before rendering them with Flask’s render_template_string. This approach can allow user input to alter the template, making it vulnerable to injection attacks.

Impact

If exploited, attackers could inject malicious code or scripts into rendered pages, leading to server-side template injection or cross-site scripting. This can expose sensitive data, compromise user accounts, or let attackers execute commands on the server.

Property
Language
Severity
CWE	CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using Flask’s render_template_string with untrusted input allows attackers to inject malicious template code, leading to server-side template injection (SSTI). This can expose sensitive data or let attackers execute code on your server.

Impact

If exploited, an attacker could run arbitrary code on your server, access confidential information, or deface your application. This may lead to full system compromise, data breaches, or unauthorized actions within your application.

Property
Language
Severity
CWE	CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing locals() directly as the template context in Django exposes all local variables and functions to the template, including sensitive or internal objects. This can allow unintended access to Python functions and data within templates.

Impact

An attacker could exploit this to execute arbitrary code or access sensitive information through template manipulation, leading to server compromise, data leakage, or unauthorized actions within your application.

Property
Language
Severity
CWE	CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing globals() as the context to a template render function exposes all global variables and functions to the template, including sensitive or dangerous objects. This makes it easy for attackers to access or execute code that should be hidden from templates.

Property
Language
Severity
CWE	CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code uses user input from HTTP request data to dynamically access or call global variables or functions via globals(). This allows attackers to control which code is executed, creating a serious security risk.

Impact

If exploited, an attacker could execute arbitrary code on your server—potentially reading files, modifying data, or taking over the system. This could lead to full system compromise, data breaches, and loss of control over the application.

Property
Language	regex
Severity
CWE	CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Disabling HTML escaping in a web template (e.g., using escape=false) allows untrusted data to be rendered as raw HTML. This makes it easy for malicious scripts to be injected and executed in the user’s browser.

Impact

If exploited, attackers can perform cross-site scripting (XSS) attacks, stealing user data, hijacking sessions, or defacing the site. This compromises user trust and can expose sensitive information or allow further attacks against your application and its users.

Property
Language
Severity
CWE	CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Detected the generation of a CSV file using the built-in csv module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv instead of csv to safely generate CSVs.

Property
Language
Severity
CWE	CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input is being written directly into a CSV file using Python’s built-in csv module. This allows attackers to inject spreadsheet formulas that may be executed when the CSV is opened in programs like Excel, causing security risks.

Impact

If exploited, an attacker could craft input that executes malicious scripts or commands when the CSV is opened, potentially stealing data, hijacking sessions, or installing malware on the user’s machine. This puts both users and organizational data at risk.

Property
Language
Severity
CWE	CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Detected user input into a generated CSV file using the built-in csv module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv instead of csv to safely generate CSVs.

Property
Language	generic
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code injects variables directly into HTML using the Html() method without proper sanitization, which can allow untrusted input to be rendered as raw HTML. This practice risks exposing your application to cross-site scripting (XSS) attacks.