The mailto CGI script allows remote malicious user to execute arbitrary commands via shell metacharacters in the emailadd form field.
ranson johnson mailto cgi script