An XSS vulnerability exists in wwwblast.c in the 2.0.7 up to and including 2.2.26 legacy versions of the NCBI ToolBox via a crafted -z1 argument.
nih ncbi toolbox