sagecell is vulnerable to arbitrary code injection. The vulnerability exists as it allows injection of malicious OS commands via the popen
command during communication with the SageMath Sage Cell Server via an internet facing web application.The vendor claims this vulnerability as a “vulnerable by design” and that the current behavior will be retained.