pphoto in Ariadne before 2.6 allows remote authenticated users with certain privileges to execute arbitrary shell commands via vectors related to PINP programs and the annotate command. NOTE: some of these details are obtained from third party information.
https://exchange.xforce.ibmcloud.com/vulnerabilities/40989
http://www.securityfocus.com/bid/28093
http://www.ariadne-cms.org/download/changes/