John Cantu

**Name of the Vulnerable Software and Affected Versions** CuteNews versions 1.3.6 and earlier **Description** A direct code injection issue allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file. **Recommendations** For CuteNews versions 1.3.6 and earlier, consider restricting access to administrative privileges and limiting the ability to inject code into template files until a fix is available. As a temporary workaround, consider disabling the template editing feature for users with administrative privileges to minimize the risk of exploitation.