Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages.