Camaleon CMS prior to 2.7.4 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.
formats