Cross-site scripting (XSS) vulnerability in Gobi as of 20070711, built on Helma, allows remote attackers to inject arbitrary web script or HTML via the q parameter to the search function.