XSS in Comments (VW4 Alpha)
Although we didn't have the settings enabled, it was possible to create a XSS exploit in VaultWiki 4 Alpha 1 by enabling HTML in comments. While there were Usergroup Permissions as well, the permissions were not overriding the global setting.
This should now be Fixed in Aardvark, but trying to use XSS exploits like this should be something on the Alpha Team task list.
Note that this exploit only affected Alpha 1, which is not public and was only used on private (now patched) servers.