The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
{ "nvd_published_at": "2022-03-14T18:15:00Z", "cwe_ids": [ "CWE-74", "CWE-77" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-03-15T17:05:10Z" }