# Server-Side Template Injection (SSTI)

- ID: python-ssti
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python
- Frameworks: flask, django, jinja2

## Description

Detects user input used directly in template rendering, allowing arbitrary
code execution.

## Remediation

Use template files with render_template(), not render_template_string().

```python
return render_template('page.html', name=user_name)
```

Learn more: https://shoulder.dev/learn/python/cwe-94/ssti

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: