Many web technologies are using template engines for content delivery to web components or even in email context. This is majorly done by embedding dynamic contents into specified template sections. Doing this in unsafe manner can cause insecurities in the application that can even leads to remote code execution. This talk will be explaining the concepts behind template engines, how it works and walk through insecure coding practices with source code examples. We will also discuss how to discover template injection vulnerabilities from pentest point of view and what could go wrong if this can be exploited with a working demo.