The _mediaLibraryPlayCb function in mainwindow.py in pitivi prior to 0.95 allows malicious users to execute arbitrary code via shell metacharacters in a file path.
pitivi pitivi