Description
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the render_template function of the Machine‑Learning‑Web‑Apps Flask application, allowing users to inject malicious scripts via manipulated input. This flaw enables cross‑site scripting (XSS), classified as CWE‑79, and due to Jinja2’s code generation capabilities it also aligns with CWE‑94. When exploited, the attacker can execute arbitrary JavaScript in the browsers of any user who visits the affected page, potentially leading to credential theft, session hijacking, or defacement of web content.

Affected Systems

Affected installations are those built from Jcharis:Machine‑Learning‑Web‑Apps at commit a6996b634d98ccec4701ac8934016e8175b60eb5 or earlier. Because the project adopts a rolling release model, explicit version numbers are not tied to releases; any deployment that has not been updated since that commit is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is below 1%, suggesting low exploitation likelihood at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the exploit is publicly available and could be used by attackers. Attackers can target the application through its remote web interface, as the flaw exists in a publicly reachable endpoint. The lack of an official patch or workaround heightens the risk for environments that remain on older commits.

Generated by OpenCVE AI on March 17, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your deployment is built from the vulnerable commit or an earlier revision; if so, upgrade to the latest code from the repository or apply a patch once the maintainer releases one.
  • Enable auto‑escaping in Jinja2 and apply input sanitization for all user‑supplied fields; consider adding a Content Security Policy to mitigate XSS effects.
  • Monitor application logs and web traffic for signs of script injection; block malicious traffic with a WAF or firewall rule.
  • If the application is not critical to operations, consider removing it from production until a fix is available.

Generated by OpenCVE AI on March 17, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jcharis
Jcharis machine-learning-web-apps
Vendors & Products Jcharis
Jcharis machine-learning-web-apps

Wed, 11 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title Jcharis Machine-Learning-Web-Apps Jinja2 Template app.py render_template cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jcharis Machine-learning-web-apps
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:46:31.071Z

Reserved: 2026-03-11T12:56:45.656Z

Link: CVE-2026-3962

cve-icon Vulnrichment

Updated: 2026-03-12T13:46:26.680Z

cve-icon NVD

Status : Deferred

Published: 2026-03-11T23:16:00.747

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-3962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:42Z

Weaknesses