Roundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser.