Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.