Code injection
Prodder before 0.5, and perlpodder before 0.5, allows remote attackers to execute arbitrary code via shell metacharacters in the URL of a podcast url attribute of an enclosure tag, or $encurl variable, which is executed when running wget...