{"id":"CVE-2021-46433","details":"In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCode()to bypass sandbox to execute arbitrary PHP code when disable_native_funcs is true.","aliases":["GHSA-674v-3g2w-84gx"],"modified":"2026-04-12T05:16:00.492639Z","published":"2022-03-28T11:15:07.647Z","references":[{"type":"REPORT","url":"https://github.com/fenom-template/fenom/issues/331"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fenom-template/fenom","events":[{"introduced":"0"},{"last_affected":"8fb0a703111189901291bea93b5558e2bcd7df21"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.12.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:fenom_project:fenom:*:*:*:*:*:*:*:*"}}],"versions":["1.4.9","2.0.0","2.1.0","2.10.0","2.11.0","2.11.1","2.11.2","2.11.3","2.11.4","2.11.5","2.11.6","2.11.7","2.11.8","2.11.9","2.12","2.12.0","2.12.1","2.2.0","2.3.0","2.4.0","2.4.6","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.6.0","2.6.1","2.6.2","2.7.0","2.7.1","2.8.0","2.8.1","2.8.2","2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}