As with other input validation vulnerabilities, these engines are susceptible to reading data that is validated incorrectly. Doing so is called Server-Side Template Injection (SSTI). The potential impact to the application would be because of a modification, very similar to a Cross-Site Scripting (XSS) attack, to a Remote Code Execution (RCE), using the server where the application is residing as a pivot to advance into the internal network.