Secunia has published a "highly critical" security advisory for the Mambo CMS, applicable to all 4.x versions. It requires that register_globals is disabled, & can lead to remote system access & data manipulation. The vulnerability remains, as of yet, unpatched.

"The vulnerability is caused due to an error in the "register_globals" emulation layer in "globals.php" where certain arrays used by the system can be overwritten. This can be exploited to include arbitrary files from external and local resources via the "mosConfig_absolute_path" parameter."