From ${URL} :

xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in 
it's run parameter, because it fails to sufficiently sanitize the user input.

To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious 
URI, which could compromise the cookie-based authentication information, execute arbitrary 
client-side scripts in the context of the browser, or obtain sensitive information.

The issue is known to be fixed in Xhprof 0.9.4.

References:

http://www.securityfocus.com/bid/62928/info
http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.