In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
http://www.securityfocus.com/bid/108790
http://packetstormsecurity.com/files/153372/Webmin-1.910-Remote-Command-Execution.html