The update process in Xmind 3.4.1 and earlier allow remote attackers to execute arbitrary code via a man-in-the-middle attack.