NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file which could be exploited. This bug is patched in NetHack 3.6.0.