It was discovered that texlive-base, the TeX Live package which provides the essential TeX programs and files, whitelists mpost as an external program to be run from within the TeX source code . Since mpost allows to specify other programs to be run, an attacker can take advantage of this flaw for arbitrary code execution when compiling a TeX document.