Zhcy2018

**Name of the Vulnerable Software and Affected Versions** pyload (affected versions not specified) **Description** An authenticated user can achieve remote code execution by changing the download folder and uploading a crafted template to that location. This is possible through the '/json/add package' endpoint using the `add file` parameter to upload a malicious file. The issue is triggered via the '/render/{filename}' endpoint, where the `render()` function processes the uploaded file, leading to Server-Side Template Injection (SSTI)—a vulnerability where an attacker injects malicious code into a template that is then executed on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the '/json/add package' and '/render/{filename}' endpoints to minimize the risk of exploitation.