There’s some checks on the file extension but no pensive reflections on magic bytes, malware introspection, etc., before exec()'ing. For example, uploaded or downloaded, if it ends in zip, then Module Admin will happily feed the file to the unzip binary, which can harbor its own demons… 
ZipArchive
Agreed. The 8.8 should be at most 6.5 per my scoring CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (which is still annoyingly high.)
This particular issue has probably been present for over a decade, but work is being done to improve the process, especially when it comes to security reporting, which saw a number of leaps forward in 2024, as discussed earlier in this post. For example, a similar path traversal upload issue in OSS EPM was handled according to policy in the fall.