The EJS (Embedded JavaScript Templates) package, a popular JavaScript templating engine, contains a high-severity Remote Code Execution vulnerability that can be exploited by mixing in data and options into a single object, allowing an attacker to inject malicious code. This vulnerability was disclosed on November 27th and fixed within one day through the release of version 2.5.3, which blacklists the `root` option to prevent it from being included with user data. To fix this issue, users can update their EJS package to the latest version using tools like Snyk or by manually updating their dependencies. The vulnerability highlights the importance of proper configuration and sanitization when using templating engines to avoid security risks.