There is no way to DM on GitHub. If this is not related to an unsecured install you may email me firstname.lastname@example.org
Aka if it is an exploit when there is a username and password set and you do not know it.
Basically it is only an issue when an install is web facing and accessible without a login set. Proper fix is a new popup forcing users to set a username/password on their install if some check is done that shows it is accessible from the internet without a password. I think that if there is no login set, we should determine the public IP/address and try a get_url to it, and then check for a value on the page. If the get_url finds the value we know the user does not have a proxy or other method that is securing the service on the web, and we should block access from the public IP and pop up a modal when accessed from a machine on the local network that explains the problem and forces them to set a password.
This fixes a slew of issues when an inexperienced user who almost certainly is not a web administrator leaves themselves at risk.
The other fix for the exact issue @Sudneo reported is related to external post processing scripts. I won't go into the details but we need to sanitize the input and force the user to put the script into the SC data (or a new "scripts" folder), and then limit the $PATH so that other system utilities cannot be called with arguments that would escalate accessibility to the machine.
Both of these things need to be done, if you are interested in working on either of them @WebSpider? I've been quite busy with family and holidays, but these have been very high priority for a really long time now lol...