(no title)

I found CVE-2015-7545 a few years ago, a malicious URL using the ext:: scheme could cause code execution. It was only easily exploitable because you can ask the client to fetch any URL you want via git submodules. (This vulneriblity was fixed, and since then the entire ext url scheme was disabled by default.)