It shouldn't run apps from $CWD, only the installed version.
Filed an upstream bug http://bugzilla.gnome.org/show_bug.cgi?id=329535 and made this block FC5Target. Should set severity to security, too.