An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.
Thanks for the report. I would rather avoid the shell entirely by switching to Popen; would you like to be listed in the AUTHORS, and if so, how? Also, are you aware of a user of Pygments that exposes these parameters remotely? (you've listed AV:N)
Many thanks for merging and improving. Feel free to add me to AUTHORS as Javantea. I have not looked for any users of Pygments who use the img formatter. The existence of the img formatter in a library commonly used for web apps seems to be enough of a reason to warrant AV:N even if none of the popular users (Github, Bitbucket, etc) use this feature. In fact, users who don't use this feature probably leave out this file just so that they don't have to audit it during a code audit.