There is a vulnerability in the latest (and to the best of my knowledge, all prior versions of) CuteNews from CutePHP.com. CuteNews does not properly sanitize user input when an administrative account edits the template files. CuteNews takes HTML code from a web form and outputs it to a template file called .tpl, which contains PHP code similar to the following: --snip-- --snap-- By entering: --snip-- HTML; [PHP code] $fake_template = <<