The FILES directive inside a VM template allows execution of uploaded files when the template is instantiated, resulting in a Remote Code Execution (RCE) attack.

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in OpenNebula OpenNebula core on Linux allows Remote Code Inclusion.