Etherpad 1.5.x and 1.6.x prior to 1.6.4 allows an malicious user to export all the existing pads of an instance without knowledge of pad names.
etherpad etherpad