Severity: Critical
CVSS Score: 10
In Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution.