Launchpad.net

CVE 2014-8990

default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

See the CVE page on Mitre.org for more details.