Published: 13 April 2016
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.
From the Ubuntu security team
It was discovered that Mercurial incorrectly handled git ext:: URL. An attacker could possibly use this issue to execute arbitrary code.
CVSS 3 base score: 8.8