I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell.