User-controlled query string is inserted into shell command with inadequate escaping. Only quotes and backslashes are escaped, but shell metacharacters like $, `, ;, |, & remain unescaped, allowing arbitrary command execution via execSync.