Foreman prior to 1.1 allows remote malicious users to execute arbitrary code via a crafted YAML object to the (1) fact or (2) report import API.
theforeman foreman