There had been code execution exploits tied to escape sequences, for example:

https://news.ycombinator.com/item?id=40428032 - Abusing url handling in iTerm2 and Hyper for code execution (2024-05-21)