# 2025-02-24 Template injection leading to RCE

Between commits 4e6c5c0ba3af3d93a67961651db0906c6dfa686f (2024-07-17) and
89c285042835bec5cdd23128102dbeeba37bfa16 (2025-02-24), template.sh included
a code path which allowed an attacker to inject the delimeter (\x02) into
a rendered value, which coupled with using the `e` sed filter could lead to
remote code execution.

This vulnerability could only be triggered in apps using the subtemplate
feature. It arose due to an inconsistency with input sanitization between
including a raw value and including a raw value while recursing.