It was discovered that the wordexp function of tinygltf, a library to load/save glTF files was susceptible to command execution when processing untrusted files.