Vendor
The Nuclio controller improperly sanitizes user-controlled input (cron trigger event headers and body) before injecting it into `curl` commands executed by Kubernetes CronJobs, allowing remote attackers to perform command injection and achieve remote code execution (RCE) by breaking quoting contexts in header keys or utilizing shell command substitution in event bodies, leading to arbitrary command execution with root privileges and potential persistence within the Kubernetes cluster.