CVE-2026-3962

A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 4.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/Jcharis/Machine-Learning-Web-Apps/
https://github.com/Jcharis/Machine-Learning-Web-Apps/issues/15
https://github.com/Jcharis/Machine-Learning-Web-Apps/issues/15#issue-3995372171
https://vuldb.com/?ctiid.350391
https://vuldb.com/?id.350391
https://vuldb.com/?submit.768226

Configurations

No configuration.

History

12 Mar 2026, 21:07

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad fue identificada en Jcharis Machine-Learning-Web-Apps hasta a6996b634d98ccec4701ac8934016e8175b60eb5. El elemento afectado es la función render_template del archivo Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py del componente Jinja2 Template Gestor. Dicha manipulación conduce a cross site scripting. Es posible lanzar el ataque de forma remota. El exploit está disponible públicamente y podría ser utilizado. Este producto adopta el enfoque de lanzamientos continuos para proporcionar entrega continua. Por lo tanto, los detalles de la versión para las versiones afectadas y actualizadas no están disponibles. El proyecto fue informado del problema tempranamente a través de un informe de incidencia, pero aún no ha respondido.

11 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 23:16

Updated : 2026-03-12 21:07

NVD link : CVE-2026-3962

Mitre link : CVE-2026-3962

CVE.ORG link : CVE-2026-3962

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2026-3962

4.3^/10

5.0^/10

Attach tags to `CVE-2026-3962`