Drupal Core is prone to a mail header injection vulnerability. Exploiting this issue could allow an attacker to use a vulnerable Drupal site to send unwanted emails. Drupal Core versions 4.6.x ranging from 4.6.0 and up to and including 4.6.5 are vulnerable.

Update to Drupal Core version 4.6.6 or latest

• https://www.drupal.org/node/53806