The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param.
CVSS Metrics
