Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. https://github.com/fontforge/fontforge/pull/5367
Created fontforge tracking bugs for this issue: Affects: fedora-all [bug 2266182]