As noted by @faidon in T257062, LilyPond allows arbitrary PostScript to be added to the intermediate output. When PNG output is requested, this arbitrary PostScript is passed to GhostScript without -dSAFER. So arbitrary read/write/execute is allowed, even when LilyPond is run with -dsafe.
I've confirmed that the issue is present in LilyPond 2.18, but not in 2.20. It regressed again in the 2.21 unstable branch.
I reported it upstream by email yesterday, and they immediately responded with a proposed patch that disables the PostScript injection feature when safe mode is active. It is unclear whether they plan on backporting it to 2.18 but they have agreed that it is a security issue and have asked for discretion pending a release.
WMF production is not currently affected. There will be a workaround in the Score extension, which I think we should announce as an urgent security update for third-party Score users. The vulnerability trivially allows arbitrary execution via wikitext in the default configuration of the Score extension, so it is of high severity.
The workaround will probably be to run LilyPond with --ps, requesting PostScript output, which MediaWiki will convert to PNG by separately running gs -dSAFER.