This is a !snbug announcement. A lame coding error left the opportunity for an # attack in the # plugin in !sn source which only very recently got fixed.

I recommend updating to !gnusocial v1.1.2-alpha1 (i.e. latest git commit) if you haven't disabled the Bookmark !gnusocial

I believe the severity is not very great, since only a href="" value could be written to contain javascript code. Which requires a user to click the Bookmark's external link. Please correct me if I'm !gnusocial !gnusocial !gnusocial

I've sent emails to the mailinglists I know of handling these matters.