Cross-site scripting (XSS) vulnerability in coWiki 0.3.4 allows remote attackers to inject arbitrary web script or HTML via the q parameter, as demonstrated using 26.html.