Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis.
Update to version 0.4.1 or later.
{
"severity": "CRITICAL",
"cwe_ids": [
"CWE-77"
],
"nvd_published_at": null,
"github_reviewed_at": "2020-06-16T22:00:43Z",
"github_reviewed": true
}