fenom is a lightweight and fast PHP template engine. fenom 2.12.1 and earlier versions are vulnerable to code injection, which stems from a failure to properly filter the construct command special characters, commands, etc. in the getTemplateCode() function of fenom/src/Fenom/Template.php, which can be exploited by attackers to vulnerability can be exploited to bypass the sandbox and execute arbitrary PHP code when disable_native_funcs is true.