Summary: A critical command injection vulnerability exists in Foreman's WebSocket proxy implementation (lib/ws_proxy.rb). The vulnerability occurs when constructing shell commands using unsanitized hostname values from compute resource providers. An attacker operating a malicious compute resource server (VMware vSphere, Libvirt, etc.) can achieve remote code execution on the Foreman server when an administrator accesses VM console functionality.

Requirements to exploit: An attacker needs to operate a malicious compute resource server (such as a fake vSphere server) that returns poisoned hostname values. The Foreman administrator must then configure this malicious server as a compute resource and attempt to access the VM console through the normal workflow.