http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0857 "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action." FC-5 and FC-6 seem affected, devel has been updated to 1.5.7 already.
Thanks a lot for pointing this out, as I had understood it was a regular "bugfix" update... rebuilds are tested and on their way.
Updates have now been pushed to FC-5 and FC-6 branches.