As with other input validation vulnerabilities, these engines are susceptible to reading data that is validated incorrectly. Doing so is called Server-Side Template Injection (SSTI). The potential impact to the application would be because of a modification, very similar to a Cross-Site Scripting (XSS) attack, to a Remote Code Execution (RCE), using the server where the application is residing as a pivot to advance into the internal network.
There are many templates engines and, despite the fact that all of them do the same thing, there're some differences that are important to note. Let's check out different examples using different templates engines to understand how SSTI works.