silverstripe/framework is vulnerable to Remote Code Execution (RCE)
72
High Risk
The silverstripe/framework template compiler emits the default and context strings of a <%t %> translation block directly into the generated PHP template. Before the fix, SSTemplateParser pasted these author-controlled strings in verbatim as double-quoted literals, so a string containing PHP interpolation such as {${'shell_exec'('id')}} was evaluated when the compiled template ran. This allows arbitrary PHP to execute on the server wherever an attacker can influence a translation default or context string. The fix re-emits the value as a single-quoted PHP literal so it is treated as inert text.
You are affected if you are using a version that falls within the vulnerable range and your project renders <%t %> translation default or context strings that can contain attacker-influenced content.
silverstripe/framework is vulnerable to Remote Code Execution (RCE) in versions 3.0.0 - 5.4.29.
Upgrade the silverstripe/framework library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant