In a blog posting on blogspot a 14 year old kid named Anthony has discovered a Javascript Gmail vulnerability.
Anthony wrote "Apparently javascript will run if it is withing the preview of the message" meaning that hackers could grab email addresses or possibly steal cookies and compromise Google accounts. It"s surprising that this vulnerability existed and who knows how long this has been a hole.
According to Anthony the Javascript he sent to himself was from a Yahoo account, emailing from Gmail to Gmail accounts filters the code out.
24 hours after Anthony discovered the issue Google have now fixed the problem but have not issued a statement regarding this latest privacy slip up.