FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.Referenceshttps://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta/