FusionAuth versions 1.10 and below suffer from a remote command execution vulnerability. An authenticated attacker with enough privileges to access the template editing functions (either site templates or e-mail templates) in the FusionAuth dashboard can execute commands on the underlying operating system using the Apache FreeMarker Expression language.
876ccd82d5bf49d3dd83506c810a93433c3fc4fbba012da2f79d8be9687745f0