Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.