Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code builds HTML templates using string formatting (like .format(), %, or f-strings) before rendering them with Flask’s render_template_string. This approach can allow user input to alter the template, making it vulnerable to injection attacks.
Impact#
If exploited, attackers could inject malicious code or scripts into rendered pages, leading to server-side template injection or cross-site scripting. This can expose sensitive data, compromise user accounts, or let attackers execute commands on the server.