The vulnerability stems from improper command string construction in multiple methods that execute OS commands. The patch adds '--' argument separators to mitigate injection. The affected functions all build command lines using user-controlled filenames without proper argument separation in pre-patch versions. The functions shown in the commit diff (ffmpegToImg, createTmb, imgRotate, etc.) directly incorporate user input into command strings without adequate sanitization, allowing attackers to inject command options via specially crafted filenames. The high confidence comes from: 1) The explicit patch adding '--' separators in these functions 2) CWE-78 alignment 3) Exploit POCs demonstrating command injection through image processing workflows handled by these functions.