It was discovered that rsync incorrectly handled certain data input. An attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2017-16548)
It was discovered that rsync incorrectly parsed certain arguments. An attacker could possibly use this to bypass arguments and execute arbitrary code. (CVE-2018-5764)