If you're stipulating deliberately inserted vulnerabilities then there are much easier ways, e.g., with a plausibly-deniable logic bug in code that calls os/exec or reflect (both of which can execute arbitrary code by design).

If you see `exec`, that's an obvious point where you want to pay extra attention.

Compare to an innocent looking map operation, and it's not even in the same league.