We’ve just released a security update for Pontoon, which validates repository URLs and hence prevents the ability to execute malicious code.
Thanks to Alessio Della Libera of the Snyk Security team for reporting the issue and documenting the potential vulnerability!
Please update your instance ASAP.