It sounds like a shell injection vulnerability [i have not actually checked though]. Attack scenario is somewhat realistic ("friend" sends you an image in a manner that preserves filenames, you run command on file)

Being blatently vulnerable is not the same thing as being not production ready.