A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows unauthenticated attackers to execute arbitrary code via a crafted payload entered into the fullname parameter.
This vulnerability was found in collaboration with Marian-Razvan Ilisanu.
The vendor's disclosure and fix for this vulnerability can be found here.
More details and the exploitation process can be found in this PDF.