Koala Framework prior to 2011-11-21 has XSS via the request_uri parameter.
koala-framework koala framework