The PHP announcement on 20070503 included an issue which is a remotely triggerable heap buffer overflow inside the bundled libxmlrpc library. Note that this is the C xmlrpc library extension and most PHP applications implementing XMLRPC would use the native-PHP xmlrpc code which is not affected by this issue.
text "A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864) "