clicking links should not be a security issue and yes the CVE is totally deserved: that's remote code execution.