Skip to main content
Skip table of contents

Python

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

This article covers Python support and vulnerability detection for Mend SAST.

Mend SAST-supported Python file types

File Type

.py

.pyi

.htm

.html

.jinja

.jinja2

Mend SAST-supported Python frameworks

Framework

Django

Django Templates

Flask

Flask Jinja 2

AIOHTTP

Bottle

CherryPy

FastAPI

Masonite

Pyramid

web2py

Mend SAST-supported Python vulnerability types

The Python vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

Python high-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-22

Path/Directory Traversal

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

  • Additional Taint Sinks:
    Disabling standard autoescape implementations

CWE-78

Command Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-79

Cross-Site Scripting

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-89

SQL Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-94

Code Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-502

Deserialization of Untrusted Data

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-643

XPath Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-732

Incorrect Permission Assignment for Critical Resource

  • UNAFFECTED

CWE-918

Server-Side Request Forgery

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

Python medium-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-90

LDAP Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-209

Generation of Error Message Containing Sensitive Information

  • UNAFFECTED

CWE-295

Improper Certificate Validation

  • UNAFFECTED

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

  • UNAFFECTED

CWE-377

Insecure Temporary File

  • UNAFFECTED

CWE-400

Uncontrolled Resource Consumption

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-611

Improper Restriction of XML External Entity Reference

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-676

Use of Potentially Dangerous Function

  • UNAFFECTED

CWE-798

Use of Hard-coded Credentials

  • Additional Taint Sinks:
    Assignments of hard-coded strings to variables/attributes with special names like password

CWE-1336

Server-Side Template Injection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

Python low-severity vulnerability types

CWE

Vulnerability Type

Low Probability Impact

CWE-20

Mail Relay

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-20

Memcache Injection Vulnerability

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-117

Improper Output Neutralization for Logs

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-328

Use of Weak Hash

  • UNAFFECTED

CWE-601

Unvalidated/Open Redirect

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-941

Arbitrary Server Connection

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

CWE-1333

Regex Denial of Service (ReDoS)

  • Additional Taint Sources:
    Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close