picocom prior to 2.0 has a command injection vulnerability in the 'send and receive file' command because the command line is executed by /bin/sh unsafely.
Debian Bug report logs -
#863671
CVE-2015-9059
Package:
picocom;
Maintainer for picocom is Matt Palmer <mpalmer@debianorg>; Source for picocom is src:picocom (PTS, buildd, popcon)
Reported by: Moritz Muehlenhoff <jmm@debianorg>
Date: Mon, 29 May 2017 21:09:02 UTC
Severity: grave
Tags: security, upstream
Found in ...