Launchpad.net

CVE 2014-3121

rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands.

See the CVE page on Mitre.org for more details.