CVE-2016-4010
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
Date published : 2017-01-23
https://magento.com/security/patches/magento-206-security-update