Remote command execution
The package fileutils does not sanitize input on URLs passed to CutyCapt. If a URL contains shell characters, such as a ; followed by a command, a remote attacker can execute a command on the client's system if they are enticed to click an encoded URL.