This was a report in the security team but can be public because of http://drupal.org/security-advisory-policy

David Hunt wrote:
Are straight eval() calls of user input - i.e. instead of drupal_eval() - a security risk worth informing you about?

function content_taxonomy_field_get_parent($field) {
if (!empty($field['parent_php_code'])) {
return eval($field['parent_php_code']);
}
return $field['parent'];
}

Followup discussion by neclimdul mentioned http://drupal.org/node/715010 as a best-practice worth reviewing and applying to the module.