broccoli-compass is vulnerable to Remote Code Execution (RCE). Lack of proper checking of attacker-controlled filenames which is included in the list of files passed to the library via its files
option, allows an attacker to execute malicious code on the system.