Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.
Full path to reproduce:
1) Create new user on xwiki.org (or myxwiki.org)
2) Go to profile -> Edit -> My dashboard -> Add gadget
3) Choose either python or groovy.
4) Paste following python/groovy code (for unix powered xwiki)
5) Submit the gadget
-User is unable to execute server side code due to lack of permissions
-User can execute server side code as seen on a screenshots.
This issue affects all versions of xwiki that have personal dashboard feature.