Affected versions of this package are vulnerable to Command Injection by missing validation of the command field sent to the server to update the configuration of a python_engine type model via an HTTP POST request to /v1/models/__MODEL_ID__. An attacker can craft a webpage once visited by the victim can trigger the exploit which can lead to executing arbitrary commands on the server (RCE).