TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted ‘%MAKETEXT{}%' parameter value containing Perl backtick characters.

Source