The first one is not a vulnerability at all - $cmd is always initialised as a constant within the script. The second one is not a vulnerability either, as that file (filter.php) does not even exist!