typo3/cms-core is vulnerable to Code Injection. The vulnerability is due to improper validation of settings within the Install Tool when configuring the path to system binaries. This vulnerability is only exploitable by an administrator-level backend user with system maintainer permissions.