Yaws versions 1.81 up to and including 2.0.7 suffer from remote OS command injection and XML external entity injection vulnerabilities.