sulu/sulu is vulnerable to path traversal. The library does not properly handle the default configuration in ‘SymfonyExpressionTokenProvider.php’, allowing an attacker to read the arbitrary local files via a PHP file include and its leads to remote code execution.