SugarCRM versions 13.0.1 and below suffer from a server-side template injection vulnerability in the GetControl action from the Import module. This issue can be leveraged to execute arbitrary php code.
482a650864ca894b028d96d1341d94b0fd22a59191625c172302fe115ad4deb5