The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1 and earlier for Pidgin allows remote attackers to execute arbitrary commands via shell metacharacters in a message.
Gentoo Linux Security Advisory 201402-27 - A vulnerability in pidgin-knotify might allow remote attackers to execute arbitrary code. Versions 0.2.1 and below are affected.