eval or exec with user input enables remote code execution

Code uses eval() or exec() functions with user-controlled input to implement dynamic behavior, allowing attackers to execute arbitrary Python code on the server.

Never use eval or exec with user input. Replace with explicit mapping of allowed actions: ACTIONS = {"activate": lambda user: user.activate(), ...}; handler = ACTIONS.get(action). Use allow-list pattern for dynamic behavior. Validate and sanitize all input before processing.