/format · sink: str.format(user=...)
User-controlled format template + str.format(user=obj). Attribute walks reach anywhere.
The format template is taken from ?template= and called as template.format(user=USER). Try ?template=Hello {user.name} to confirm, then {user.flag} to read the lab flag, then {user.__class__.__init__.__globals__} to reach a global namespace (escalates to RCE in real apps).