MEDIUM · CVSS 6.1
CVE-2024-22195 — Jinja2 XSS via xmlattr filter
A cross-site scripting vulnerability in Jinja2's `xmlattr` filter let attacker-controlled attribute keys inject arbitrary HTML attributes, re-enabling XSS in Flask and FastAPI apps that used the filter.
Affects
- Jinja2 < 3.1.3
What an attacker does
The attacker submits a form value that becomes an attribute key in a template rendered with `xmlattr`. Before the patch, Jinja2 did not validate attribute names; the attacker could inject `onerror=` or similar event handlers directly.
How to detect
`pip show jinja2` — upgrade if below 3.1.3.
How to fix
Upgrade Jinja2 to 3.1.3+.
How Securie catches it
Securie's Python scanner flags vulnerable Jinja2 in Flask / FastAPI requirements.