It’s not really a security hole but more of a feature that needs to be disable for people running seedbox companies or just have a ton of idiots on one server…
Problem: In limited shell you can run nano press Ctrl-R then Ctrl-T to open the file browser. You can browser every file on the server.
The fix: Compile nano from source. Installation to fix below
wget https://www.nano-editor.org/dist/v2.7/nano-2.7.3.tar.gz
./configure --disable-browser
make
make install