Ametys CMS version 3.5.2 suffers from an XPath injection vulnerability. Input passed via the 'lang' POST parameter in the newsletter plugin is not properly sanitized before being used to construct an XPath query for XML data.
c5dbcda0f10c655d76ff28210efc04294966ced89d00fa641314117ecc195ed1