I didn't contact the vendor, as Fransisco has a very bad track
record when it comes to replying to security reports.
Instead I wrote an unofficial patch for this issue. I have patched
against version 6.0.
The patch simply replaces all CR and LF characters in the vulnerable
variables with spaces, and then the exploit doesn't work anymore.