Affected versions of nunjucks
do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.
By using an array for the keys in a template var, escaping is bypassed.
name[]=<script>alert(1)</script>
A full PoC is available in the references section.
Update to version 2.4.3 or later.