Honestly, all applications are vulnerable AF, especially the open source projects without a major team behind them. I work in a security research team and we find critical bugs like this in a weekly basis. Even in major projects which you would be scared to know about. I personally wouldn’t expose anything except SSH or a VPN, or if I have to expose a web app, it’s going inside a VLAN with very restrictive firewall rules, proper logging, and a reverse proxy enforcing authentication via an OIDC based IDP.

We generally spend a couple of days to a week before finding something critical allowing RCE.