A flaw was found in Emacs and org-mode. In affected versions of Emacs, org-link-expand-abbrev in lisp/ol.el expands a %(…) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This issue affects Org Mode before 9.7.5.