Is *not* a security vulnerability. But, it *is* a risk and a bad practice. Disabled by default in versions >= 4.1.0. Use %$_GET% and %$_POST% instead.