Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. https://nvd.nist.gov/vuln/detail/CVE-2017-1000116