Any package you install into Emacs can run arbitrary code with the
same privileges as the Emacs process itself. Be aware of this when
you use the package system (e.g. M-x list-packages) with third
party archives. Use only third parties that you can trust!
file-local-variable feature. (Yes, a risk, but easy to
change.)
There is an Emacs feature that allows the setting of local values for variables when editing a file by including specially formatted text near the end of the file. This feature also includes the ability to have arbitrary Emacs Lisp code evaluated when the file is visited. Obviously, there is a potential for Trojan horses to exploit this feature.
Emacs has a list of local variables that are known to be safe to set.
If a file tries to set any variable outside this list, it asks the
user to confirm whether the variables should be set. You can also tell
Emacs whether to allow the evaluation of Emacs Lisp code found at the
bottom of files by setting the variable enable-local-eval.
See File Variables in The GNU Emacs Manual.
Emacs relies on C libraries to parse images, and historically, many of these have had exploitable weaknesses. If you’re browsing the web with the eww browser, it will usually download and display images using these libraries. If an image library has a weakness, it may be used by an attacker to gain access.