iTerm2 prior to 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to upload.
iterm2 iterm2