Michael Brooks (Sitewatch) discovered an XSS issue in the nonjs interface that allowed HTML injection via a crafted parameter.
0.5.10 is now available. This is actually just 0.5.9 with the following fix:
David