Thanks to vondrt4 for bringing CVE-2016-4010 to our attention. This was a potentially critical vulnerability in Magento that turns out not to apply to TurnKey Magento, because it only effects Magento versions 2.0 - 2.0.5. The current version of TurnKey Magento is based on Magento 1.9.X.
Following our security procedure we first unpublished the vulnerable app from the library but after confirming it was not vulnerable we subsequently republished it and updated the documentation page to clarify the situation.
TurnKey users got lucky this time, but it's best not to rely on luck so we recommend that all Magento users sign up to the Magento Security Alerts in addition to the TurnKey Security and Announcements newsletter.