problem

Security fixes in 6.16:

Installation cross site scripting
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

Problem:
When running cron.php (with browser or from the Reports page) you getting redirects to some pages

Fix:
Looks like there are some drupal_goto exists in hooks. In my case the problem was in the custom module in hook_nodeapi.

So remember, If you use Apache Solr integration module (or other module, which runs miscellaneous hooks on cron), it will run through the hook_nodeapi('view') on cron to index content, and if you have drupal_goto there, then you're busted.

Imagine situation when you are trying to make tinymce speak your language. It seems to be easy (Drupal 6, Tinymce 3.2.1):
1. Get language pack from http://tinymce.moxiecode.com/download_i18n.php.
2. Unpack it to modules/tinymce/tinymce/jscripts/tiny_mce.
3. Change settings in admin/settings/tinymce to your language.