Hey
Seems it is possible to execute custom OS command thru
https://github.com/kaeverens/kvwebme/blob/master/install/theme-upload.php#L96

$_FILES[ 'theme-zip' ][ 'name' ] - it's just a HTTP POST param that can be controlled via request from user.

Nice catch. To be honest, I think it might be time to shut this project down. I haven't done anything on it in years.

Probably. I found it randomly - https://searchcode.com/?q=shell_exec (first result)