Remote code execution
The package refile contains a flaw that is triggered when input is not sanitized when handling the remote_image_url field in a form, where image is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands.