It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. For the oldstable distribution , this problem has been fixed in version 0.9.9-1+etch1. For the stable distribution , this problem has been fixed in version 1.0.7-3+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your xapian-omega packages.