launch-editor vulnerable to command injection via the crafted request on Windows
Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.