Twig and FreeMaker are template engines developed in Python. In the first line, the template is waiting for a name, which is displayed. There is no problem here:

$output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) );

But now, in the following line, which is part of the same code, the template's waiting for an email in order to personalize it to display the content:

$output = $twig->render($_GET['custom_email'],  array("first_name" => $user.first_name) );

As shown in the preceding code snippet, the template is vulnerable because it's open to receive any kind of data entered by the user, and the user can inject a formatted email or a bunch of code that modifies the user's display.

But this isn't the only impact, and this is why this kind of vulnerability is so high. A malicious user commonly tries to exploit it with XSS and tries to attack the user using social engineering, but an experienced tester will get more information using the same vulnerability. In this case, this vulnerability allows someone to get information about the application in runtime:

custom_email={{7*7}}

As you can see, if we entered an operation, it's solved. So, what happens if we make a reference to an object? Let's see:

custom_email={{self}}
Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string