Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
https://www.exploit-db.com/exploits/39838/
https://magento.com/security/patches/magento-206-security-update
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/