This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.
{ "nvd_published_at": "2021-12-17T20:15:00Z", "github_reviewed_at": "2022-01-06T18:54:41Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-863" ] }