Etherpad 1.6.3 prior to 1.6.4 allows an malicious user to execute arbitrary code.
etherpad etherpad 1.6.3