CVE-2024-39331: emacs: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code

Severity: Critical

CVSS Score: 9.8

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.