functions/suggest.php in Banana Dance B.2.6 and previous versions allows remote malicious users to read arbitrary database information via a crafted request.
bananadance banana dance