For extensions like 3D, Cargo, CreateWiki, FlaggedRevs, TimedMediaHandler, PagedTiffHandler, PdfHandler, Score, SyntaxHighlight_GeSHi, Translate and Timeline external commands may be executed (wfShellExec, exec, or Shell::command) to provide media to the extensions (e.g. timelines, videos) or alter other databases.
However, most extensions require third-party libraries to be installed and executed. Unlike MediaWiki extensions these libraries are harder to inspect and maintain for maximum security. A vulnerability in one of those libraries may be discovered anytime, which could lead to remote code execution: https://imagetragick.com/
Currently we execute all third-party libraries under the www-data user without further restrictions. Via software like firejail we can execute those libraries inside sandboxes which reduces the risk of a breach. Unfortunately firejail requires Linux >3.0 (looking at you, RamNode) and firejail is the only supported restriction method inside MediaWiki as well, so we preferably find an alternative to firejail for the time being.