hg.sr.ht and git.sr.ht versions prior to 0.32.3 and 0.83.5 respectively
were vulnerable to command injection, which allows a remote user to
execute arbitrary commands as the hg or git user on the host.
Administrators of third-party SourceHut instances are advised to upgrade
your instance to hg.sr.ht 0.32.3 or newer and git.sr.ht 0.83.5 or newer
Thanks to Thomas Chauchefoin for discovering and responsibly disclosing