This is a !snbug announcement. A lame coding error left the opportunity for an #XSS attack in the #Bookmark plugin in !sn source which only very recently got fixed.
I recommend updating to !gnusocial v1.1.2-alpha1 (i.e. latest git commit) if you haven't disabled the Bookmark !gnusocial
I believe the severity is not very great, since only a href="" value could be written to contain javascript code. Which requires a user to click the Bookmark's external link. Please correct me if I'm !gnusocial !gnusocial !gnusocial
I've sent emails to the mailinglists I know of handling these matters.