Roehrl

**Name of the Vulnerable Software and Affected Versions** neoan3-apps/template versions prior to 1.1.1 **Description** The issue arises from allowing closures to be passed directly into the template engine, which can execute values that are callable. This can lead to unintended or malicious execution if a value has the same name as a method or function in scope. All users of the package are potentially affected, especially those dealing with direct user input or database values, making a multi-step attack plausible. **Recommendations** For versions prior to 1.1.1, the only safe approach is to work with hardcoded values, although this may defeat the purpose of using a template engine. Therefore, it is recommended to upgrade to version 1.1.1 or later to address this vulnerability. As a temporary workaround, consider avoiding the use of closures in the template engine until the issue is resolved.