"I've discovered rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it. This is accidentally fixed on version 9.30, and I haven't confirmed 9.29, it appears to not be exploitable, but only due to another (not security) bug. The actual bug which makes this not vulnerable on 9.30 is simply a wrong number in "on_osc_seq"." So, needs GLSA.
