XEmacs 21 (and up) includes support for an automatic package installing
system. The problem is that, by default, /usr/lib/xemacs/xemacs-packages
is installed with mode 777, thus allowing any user to upgrade packages --
but also to introduce any trojan horses or any other such things,
especially on shared systems.
Since xemacs is so complex, this can be exploited in many ways (i.e.
hacking term.el or shell.el to save passwords, etc.)
This was fixed at some point. Thanks.