sql injection in "title" argument when you submit a web link.
http://secunia.com/advisories/20745/ it was corrected in portage in 4.5.4-r1 on June 20th by rl03 closing without glsa (no stable ebuild)