Expected Findings
- User templates are evaluated, not escaped.
- Template scope exposes `env`, allowing direct secret access.
- `config.constructor` style payloads return prototype information.
Email Templates
Server-Side Template Injection
The newsletter previewer renders user-supplied templates with a server-side template engine, evaluating expressions and exposing internal globals.
Template preview
Primary Flows
- Math eval Evaluates 7*7
- Env access Returns env.SECRET
- Constructor probe Walks prototype chain
Signals
Render
engine.compile(req.query.template)({env, config})