Me and Benjamin have spent many days hacking a self hosted tt-rss instance, and we have managed to achive remote code execution on the tt-rss clients subscribed to a malicious feed. You can read our blog post or even the full report. I still can see some of my subscribers using vulnerable tt-rss clients so PLEASE PLEASE PLEASE update!!!