fish is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization via the configuration that allows an attacker to inject maliciously crafted script into the system.
github.com/fish-shell/fish-shell/pull/8589
github.com/fish-shell/fish-shell/releases/tag/3.4.0
github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq
lists.fedoraproject.org/archives/list/[email protected]/message/BPZ7JV22DSZB5LNUCUEJ2HO3PKM2TVVK/
lists.fedoraproject.org/archives/list/[email protected]/message/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/
security-tracker.debian.org/tracker/CVE-2022-20001
www.debian.org/security/2022/dsa-5234