The mailto CGI script allows remote attacker to execute arbitrary commands via shell metacharacters in the emailadd form field.
https://exchange.xforce.ibmcloud.com/vulnerabilities/5241
http://www.securityfocus.com/bid/1669
http://archives.neohapsis.com/archives/bugtraq/2000-09/0088.html