The mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field.