Exim 3.x-3.36 and 4.x-4.10 - Authenticated Remote Code Execution via pid_file_path Format String
Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value.
neon < 0.24.5 - Remote Code Execution via Format String Vulnerability
Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.