A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affected Versions; This vulnerability has existed in all versions of Supervisor since 3.0a1 . Fixed in: Supervisor 3.3.3, Supervisor 3.2.4, Superivsor 3.1.4