The default configuration of Cobalt RaQ2 servers allows remote users to install arbitrary software packages.