I weren't completely sure if this issue has low priority because I don't know if there are valid use cases for such filenames or if this problem is a symptom of a higher priority problem.
It is a slight problem in that it can be used to inject remote commands from a filename, but even so they are pretty much harmless.
Btw: Another low priority issue is the possibility to add quotes in the filename to change some messages: […]
This should be another issue, but actually I don't think it is an issue, and what can we do? There will always be a way of naming a file that results in a confusing message if that message contains the filename. We could perform some escaping, but thus we wouldn't show the *actual* filename. Maybe we could somehow make that italics or so so that it stands out better… not sure it's worth it if it's not super easy.