The server in xArrow prior to 3.4.1 performs an invalid read operation, which allows remote malicious users to execute arbitrary code via unspecified vectors.
xarrow xarrow