An issue in symphony v.3.6.3 and before allows a remote malicious user to execute arbitrary code via the log4j component.
b3log symphony