CVE-2024-25081 Splinefont in FontForge through 20230101 allows command injection via crafted filenames. CVE-2024-25082 Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. Fix for both has been applied in gh master branch upstrea: https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 but no new release at time of writing. https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ https://nvd.nist.gov/vuln/detail/CVE-2024-25081 https://nvd.nist.gov/vuln/detail/CVE-2024-25082 Reproducible: Didn't try
Thanks for reporting. Ping fonts@.