A vulnerability exists wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
apache pony mail