diff --git a/cwe_error_test1.py b/cwe_error_test1.py
new file mode 100644
index 0000000..0dea3c6
--- /dev/null
+++ b/cwe_error_test1.py
@@ -0,0 +1,14 @@
+from flask import Flask, request, render_template_string
+
+app = Flask(__name__)
+
+@app.route('/')
+def index():
+  # Get user input from the query parameter "name"
+  user_input = request.args.get('name', 'World')
+
+  # This line is vulnerable to XSS. It directly places user_input into the HTML.
+  return render_template_string('<h1>Hello, ' + user_input + '!</h1>')
+
+if __name__ == '__main__':
+  app.run(debug=True)