osc before version 0.162 and obs-service-source_validator before version 0.7 are vulnerable arbitrary code during macro expansion. References: https://bugzilla.novell.com/show_bug.cgi?id=938556
Created osc tracking bugs for this issue: Affects: fedora-all [bug 1533745] Created osc-source_validator tracking bugs for this issue: Affects: fedora-all [bug 1533744]
Fixed in Fedora 26 and Fedora 27 as updates.