Product
The Scriban templating engine, specifically its `TypedObjectAccessor`, allows template code to write to arbitrary CLR object properties, including those with `private set`, `internal set`, and `init` modifiers, effectively bypassing intended C# access restrictions. This mass assignment (CWE-915) and access-modifier bypass (CWE-284) vulnerability can lead to unauthorized modification of sensitive host object properties, such as changing `user.is_admin = true`, with changes persisting after template rendering, affecting Scriban versions up to and including 7.2.1, with the `init` bypass specifically impacting .NET 5+.