feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL.
Gentoo Linux Security Advisory 201110-8 - Multiple vulnerabilities were found in feh, the worst of which leading to remote passive code execution. Versions less than 1.12 are affected.