ckdake writes "EDIT: There were a number of problems with pl3 so it has been pulled. Look for an updated security release some time today.
Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl3. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery.
No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be comprimised using appropriate code.
All Gallery users are very strongly urged to upgrade to 1.4.4-pl3 immediately, which fixes this serious problem and will secure your system.
Gallery 1.4.4-pl3 can be downloaded from the Gallery Download Page."