The peril of unquoted Python strings, and how they caused CVE-2024-9287