Winston 1.5.4 devices are vulnerable to command injection via the API.
winstonprivacy winston firmware 1.5.4