A bug chain in Vim allows arbitrary OS command execution when a user
opens a crafted file. The tabpanel option is missing the P_MLE flag,
allowing a modeline to inject a %{expr} expression string without
requiring modelineexpr to be enabled. Although Vim correctly
evaluates the expression inside the sandbox, autocmd_add() lacks
a check_secure() call, allowing sandboxed code to register an
autocommand that fires after the sandbox exits.