App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Show in Folder" action.
Related bugs and status
CVE-2015-0854 (Candidate)
is related to these bugs: