Aftspunk

**Name of the Vulnerable Software and Affected Versions** October versions prior to 3.4.15 **Description** The issue allows an authenticated backend user with the `editor.cms pages`, `editor.cms layouts`, or `editor.cms partials` permissions to write specific Twig code and execute arbitrary PHP, despite `cms.safe mode` being enabled. This is problematic for those relying on `cms.safe mode` to restrict users from writing and executing arbitrary PHP. **Recommendations** For versions prior to 3.4.15, update to version 3.4.15 to resolve the issue. As a temporary workaround, consider removing the `editor.cms pages`, `editor.cms layouts`, or `editor.cms partials` permissions from untrusted users.