The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. Read more