Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Flask’s render_template_string with untrusted input allows attackers to inject malicious template code, leading to server-side template injection (SSTI). This can expose sensitive data or let attackers execute code on your server.
Impact#
If exploited, an attacker could run arbitrary code on your server, access confidential information, or deface your application. This may lead to full system compromise, data breaches, or unauthorized actions within your application.