duck before 0.10 did not properly handle loading of untrusted code from the current directory.
[
{
"product": "duck",
"vendor": "Debian",
"versions": [
{
"status": "affected",
"version": "< 0.10"
}
]
}
]