Ksplice, working in conjunction with Lakitu Cloud Security, has released a high-severity advisory about a Plumber Injection attack in multiple versions of Bowser's Castle. An Italian plumber could exploit this bug to bypass security measures (walk through walls) in order to rescue Peach, to defeat Bowser, or for unspecified other impact.
This vulnerability is demonstrated by "happylee-supermariobros,warped.fm2". Attacks using this exploit have been observed in the wild, and multiple other exploits are publicly available. A patch has been made available.