Spotlight in Apple OS X prior to 10.10.4 allows malicious users to execute arbitrary commands via a crafted name of a photo file within the local photo library.
apple mac os x