Saleem-Hadad

**Name of the Vulnerable Software and Affected Versions** LaRecipe versions prior to 2.8.1 **Description** LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. The vulnerability allows attackers to inject malicious code through templates, potentially executing arbitrary PHP code due to the use of the `eval()` function without proper validation. Approximately 4.5 million results were found on one search engine, and 8.8 million services are estimated to be affected yearly. **Recommendations** Upgrade to version 2.8.1 or later.