| Title | Jcharis Machine-Learning-Web-Apps <=1.0.0 Reflected XSS |
|---|
| Description | The POST /preview endpoint takes user input from request.form['newtext']
and passes it directly to render_template() as a template variable. If
the Jinja2 template renders newtext without escaping (e.g. using {{
newtext | safe }}), arbitrary HTML/JavaScript is injected into the
response. The POC submits <img src=1 onerror=alert(9)> and the payload
executes in the browser, confirming Reflected XSS. An attacker can craft
a malicious link to steal session cookies or perform actions on behalf of
the victim. |
|---|
| Source | ⚠️ https://github.com/Jcharis/Machine-Learning-Web-Apps/issues/15 |
|---|
| User | ZAST.AI (UID 87884) |
|---|
| Submission | 02/26/2026 13:54 (1 month ago) |
|---|
| Moderation | 03/11/2026 13:56 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 350391 [Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5 Jinja2 Template app.py render_template cross site scripting] |
|---|
| Points | 20 |
|---|