CVS v1.11.4 and below contains a double free bug which allows attackers with read access to execute code on the server by sending a malformed directory name. By default, CVS runs with root privileges. Patch available here.
cf1e29270d759e81797059b571c99eff0c58d3aa9fffcdeb234d72fc4c3a22a7