A vulnerability in the HTML_AJAX package has been found which allows arbitrary remote code execution. All versions of the package from 0.4.0 up to and including release 0.5.6 are affected by this.
An new release of the package is available which fixes this issue. One is strongly encouraged to upgrade to it by using:
$ pear upgrade HTML_AJAX-0.5.7.