Dear dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>,
We are using freemarker as our main templating engine for the various software me and my team are maintaining. In order to be certain our software is secure and compliant with the latest security standards, our code is dynamically tested with Veracode. We're currently having the latest version of freemarker flagged as dangerous because of this CVE: CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361> undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote attackers are able to inject and execute malicious scripts on the host machine via crafted payloads to bypass security restrictions. The option we have are: * Waiting for a new release of freemarker that fixes this CVE * Switching to an other templating engine (which I would like to avoid if we can, as this would mean a breach in ascending compatibility due to syntax in the templates). Can you please kindly share if this issue is being actively worked on ? If it is, do you have a tentative date for the next release ? Many thanks and kind regards, Arnaud DEMARCQ
