Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
https://www.theregister.com/2024/03/08/canva_font_security/?&web_view=true
https://www.theregister.com/2024/03/08/canva_font_security/
https://lists.debian.org/debian-lts-announce/2024/03/msg00007.html
https://github.com/fontforge/fontforge/pull/5367