CVS v1.11.4 and below contains a double free bug which allows attackers with read access to execute code on the server by sending a malformed directory name. By default, CVS runs with root privileges. Patch available here.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/30745/cvs-1.11.4.txt
Source: https://packetstormsecurity.com/files/30745/cvs-1.11.4.txt.html