Search engine darling Google Inc. has issued a patch to cover a range of potentially dangerous security flaws in the enterprise-facing Google Mini search appliance.

The company's patch was issued after researchers at the Metasploit Project pinpointed several bugs that can be exploited by malicious hackers to conduct cross-site scripting, file discovery and service enumeration attackers.

Metasploit creator H.D. Moore warned in an advisory that the most serious bug can lead to arbitrary command execution.

Security alerts aggregator Secunia Inc. rates the flaws as "highly critical."

According to Moore, Google's patch and advisory were only released to businesses that pay about $3,000 for the pizza box-sized appliance.

A spokesperson for Google said the company learned of the issue several months ago and quickly made a patch available to all enterprise customers. "No customers have reported any effect related to this issue," he added.

Metasploit's Moore said the flaw was discovered in a feature that allows customization of the Google Mini's search interface through XSLT (Extensible Stylesheet Language Transformations) style sheets. He explained that certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet, and warned that the feature can be abused to perform malicious hacking attacks.