The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. CREATE(Triage): {Link=https://nvd.nist.gov/vuln/detail/CVE-2019-12929 User=admin}