I HATE that the industry started calling these RCE (specifically "passive" RCE). It really muddies the waters. This isn't a normal RCE where an attacker can remotely connect in and execute code. Those are very serious. This is a passive RCE. Basically code injection from inappropriately parsing a file. And it doesn't need to be remote. You can use a local file.