Forum OpenACS Development: Re: Security breach in util_memoize "command $arg"
many thanks for this catch! The problem might happen with all non-sanitized variables passed to a quoted util_memoize (which should not happen). This problem might as well become a semantic issue, since the word boundaries are lost though the double quotes, when variables are substituted.
The version in the oacs-5-8 branch is now fixed.