rdiffweb is vulnerable to command injection. The vulnerability exists in notification.py
due to lack of character sanitisation in SSH key names which allows an attacker to inject a hyperlink that allows an attacker to redirect victim to malicious website.