tl;dr

• SSTI in the valentine card
• bypass filter by setting ejs delimiter option
• RCE :yay:

tl;dr

• Create a sqlite3 extension with rce payload.
• Abuse werkzeug tempfile to upload the extension to server.
• load that extension using load_extension(‘/proc/self/fd/fd_no’);