I've found a secuirty issue with the proxy implementation of find_with_xapian in the acts_as_xapian plugin. I've documented it over at the acts_as_xapian Google Group (http://groups.google.com/group/ acts_as_xapian/browse_thread/thread/8bc8da3275985383) but since that group is pretty low traffic I thought it would be a good idea to let people know about it here too just in case they're using aax but don't know about it yet.
Dale