[Security Triage] CodeQL XSS Alert Summary — 2026-03-25
This issue tracks the triage of cross-site scripting (XSS) related CodeQL alerts for colin-d-fried/demo-python.
Scope: XSS-related alerts only (rules: py/reflective-xss, py/template-injection)Total XSS alerts: 14Severity breakdown: 1 critical/high (fast-track), 13 medium/low (batched)
Alert Checklist (prioritized)
Fast-track (Critical/High severity)
Batched (Medium/Low severity)
[CodeQL #36] Deserialization of user-controlled data #38 vulnerable_deserialization.py:14-14 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #37] Server Side Template Injection #39 vulnerable_deserialization.py:22-22 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #38] Reflected server-side cross-site scripting #40 vulnerable_deserialization.py:42-42 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #39] Reflected server-side cross-site scripting #41 vulnerable_ssrf.py:13-13 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #40] Reflected server-side cross-site scripting #42 vulnerable_ssrf.py:37-37 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #41] Reflected server-side cross-site scripting #43 vulnerable_ssrf.py:49-49 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #42] Reflected server-side cross-site scripting #44 vulnerable_xss.py:9-9 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #43] Reflected server-side cross-site scripting #45 vulnerable_xss.py:24-24 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #44] Reflected server-side cross-site scripting #46 vulnerable_xss.py:31-31 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #45] Reflected server-side cross-site scripting #47 vulnerable_xss.py:48-48 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #46] Reflected server-side cross-site scripting #48 vulnerable_xss.py:54-54 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #47] Reflected server-side cross-site scripting #49 vulnerable_xss.py:60-60 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done[CodeQL #48] Reflected server-side cross-site scripting #50 vulnerable_xxe.py:23-23 | Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification: demo-only | Status: Done
All alerts triaged on 2026-03-25. See Triage Report #55 for full details.
[Security Triage] CodeQL XSS Alert Summary — 2026-03-25
This issue tracks the triage of cross-site scripting (XSS) related CodeQL alerts for
colin-d-fried/demo-python.Scope: XSS-related alerts only (rules:
py/reflective-xss,py/template-injection)Total XSS alerts: 14
Severity breakdown: 1 critical/high (fast-track), 13 medium/low (batched)
Alert Checklist (prioritized)
Fast-track (Critical/High severity)
vulnerable_xss.py:31-31| Server Side Template Injection | CWE-074 | View alert — Classification:demo-only| Status: DoneBatched (Medium/Low severity)
vulnerable_deserialization.py:14-14| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_deserialization.py:22-22| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_deserialization.py:42-42| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_ssrf.py:13-13| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_ssrf.py:37-37| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_ssrf.py:49-49| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:9-9| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:24-24| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:31-31| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:48-48| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:54-54| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xss.py:60-60| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: Donevulnerable_xxe.py:23-23| Reflected server-side cross-site scripting | CWE-079, CWE-116 | View alert — Classification:demo-only| Status: DoneAll alerts triaged on 2026-03-25. See Triage Report #55 for full details.