Earlier today I received a bug report about a VBScript injection issue
in gnome-exe-thumbnailer through specially crafted filenames. The
Debian
bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
As I have commit access upstream, I fixed the bug by migrating away
from
the VBScript-based parsing in
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
and released 0.9.5 soon after.
For unstable, there is also a pending upload currently in mentors for
0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer