SYM_PY_0134 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Flask's render_template_string with untrusted input allows attackers to inject malicious template code, leading to server-side template injection (SSTI). This can expose sensitive data or let attackers execute code on your server.
Impact
If exploited, an attacker could run arbitrary code on your server, access confidential information, or deface your application. This may lead to full system compromise, data breaches, or unauthorized actions within your application.