From ${URL} : xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in it's run parameter, because it fails to sufficiently sanitize the user input. To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI, which could compromise the cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, or obtain sensitive information. The issue is known to be fixed in Xhprof 0.9.4. References: http://www.securityfocus.com/bid/62928/info http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.