The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks."
https://exchange.xforce.ibmcloud.com/vulnerabilities/43020
http://www.securityfocus.com/bid/29682