{"detect":{"cwe":"CWE-1336","exploit_examples":["POST /second-order/save key=evil body={{ config['VULNLAB_SSTI_SECOND_ORDER'] }}","GET /second-order/preview?id=evil"],"notes":"Per-sink scanners that only inspect render_template_string callers won't see that the rendered string was attacker-controlled. Needs cross-endpoint/cross-request data-flow.","owasp":"A03:2021 \u2014 Injection (SSTI)","scanner_should_fire":true,"sinks":["POST /save stores raw template text (no render)","GET /preview retrieves and calls render_template_string"],"subtype":"second-order-stored-template","success_markers":["VULNLAB{ssti-second-order-from-stored-draft}"],"tags":["second-order","stored","cross-sink","cross-endpoint"]},"lab_url":"/second-order/","sink":"stored snippet -> render_template_string in a later request","slug":"second-order","source_url":"/source/second-order","summary":"Save endpoint stores raw template text; preview endpoint renders it.","title":"Second-order SSTI (stored draft, rendered later)","vulnerable":true}