Nuxeo is vulnerable to Remote Code Execution without authentication using Server Side Template Injection
We suggest you update Nuxeo to the latest version to eliminate this vulnerability.