Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file.
Exploitability
AV:LAC:HPR:NUI:RScope
S:UImpact
C:LI:LA:L4.5/CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L