glob CLI: Command injection via -c/--cmd executes matches with shell:true
The glob CLI contains a command injection vulnerability in its -c/–cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.