CVE-2022-21187

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt