It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call.
Related bugs and status
CVE-2021-32556 (Candidate)
is related to these bugs: