diff --git a/docs/sec-fixes/2025-02-24_template.md b/docs/sec-fixes/2025-02-24_template.md
new file mode 100644
index 0000000..eea5f1e
--- /dev/null
+++ b/docs/sec-fixes/2025-02-24_template.md
@@ -0,0 +1,11 @@
+# 2025-02-24 Template injection leading to RCE
+
+Between commits 4e6c5c0ba3af3d93a67961651db0906c6dfa686f (2024-07-17) and
+89c285042835bec5cdd23128102dbeeba37bfa16 (2025-02-24), template.sh included
+a code path which allowed an attacker to inject the delimeter (\x02) into
+a rendered value, which coupled with using the `e` sed filter could lead to
+remote code execution.
+
+This vulnerability could only be triggered in apps using the subtemplate
+feature. It arose due to an inconsistency with input sanitization between
+including a raw value and including a raw value while recursing.
diff --git a/src/template.sh b/src/template.sh
index 80022bf..dd3cb97 100755
--- a/src/template.sh
+++ b/src/template.sh
@@ -7,7 +7,7 @@ function render() {
 	if [[ "$3" != true ]]; then
 		local template="$(tr -d $'\01'$'\02' < "$2" | sed 's/\&/�UwU�/g')"
 	else
-		local template="$(cat "$2" | sed -E 's/\\/\\\\/g')"
+		local template="$(tr -d '$\02' < "$2" | sed -E 's/\\/\\\\/g')"
 	fi
 	local -n ref=$1
 	local tmp=$(mktemp)
@@ -29,12 +29,12 @@ function render() {
 
 				value+="$(render fdsa "$subtemplate" true)"
 			done
-			value="$(sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02' <<< "$value")"
+			value="$(tr -d '$\02' <<< "$value" | sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02')"
 
 			echo 's'$'\02''\{\{'"$key"'\}\}'$'\02'''"$value"''$'\02'';' >> "$tmp"
 			rm "$subtemplate"
 		elif [[ "$key" == "@"* && "${ref["$key"]}" != '' ]]; then
-			local value="$(sed -E 's/\&/�UwU�/g' <<< "${ref["$key"]}")"
+			local value="$(tr -d $'\01\02' <<< "${ref["$key"]}" | sed -E 's/\&/�UwU�/g')"
 			echo 's'$'\02''\{\{\'"$key"'\}\}'$'\02'''"$value"''$'\02''g;' >> "$tmp" #'
 		elif [[ "$key" == '?'* ]]; then
 			local _key="\\?${key/?/}"
@@ -53,7 +53,7 @@ function render() {
 		elif [[ "${ref["$key"]}" != "" ]]; then
 			echo "VALUE: ${ref["$key"]}" > /dev/stderr
 			if [[ "$3" != true ]]; then
-				local value="$(html_encode <<< "${ref["$key"]}" | sed -E 's/\&/�UwU�/g')"
+				local value="$(html_encode <<< "${ref["$key"]}" | tr -d $'\02' | sed -E 's/\&/�UwU�/g')"
 			else
 				local value="$(echo -n "${ref["$key"]}" | tr -d $'\01'$'\02' | tr $'\n' $'\01' | sed -E 's/\\\\/�OwO�/g;s/\\//g;s/�OwO�/\\/g' | html_encode | sed -E 's/\&/�UwU�/g')"
 			fi