Back in 2022 while browsing through lists of recently disclosed vulnerabilities, I happened upon some Adobe Commerce/Magento Open Source vulnerabilities [1], that were reported to be exploited in the wild and can be exploited to achieve remote code execution, a combination which always motivates me to take a quick look at the vulnerability. Adobe provided a simple patch file that effectively removes {{ and }} characters when encountered in input provided to two specific components and it is reasonable to assume that the vulnerability involves Magento’s built-in templating system.
Source: Veracode