Modules.cpp in ZNC prior to 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name.
Two vulnerabilities were discovered in the ZNC IRC bouncer which could
result in remote code execution (CVE-2019-12816) or denial of service
via invalid encoding (CVE-2019-9917)
For the stable distribution (stretch), these problems have been fixed in
version 165-1+deb9u2
We recommend that you upgrade your znc packages
For the detailed security ...