A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file.
https://seclists.org/fulldisclosure/2025/Feb/11
https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC