Josh Triplett discovered that ikiwiki did not block Javascript in URLs, leading to cross-site scripting vulnerabilities (CVE-2008-0808, CVE-2008-0809). The old stable distribution (sarge) did not contain an ikiwiki package.