I'm currently using 2.10.x on a Debian server.
I'm running an ASP.NET MVC 3 application.
It seems that when I query http://www.myserver.com/NONEXISTANTURL, without any custom error pages configured, I get the standard "Server Error in '/' Application" page saying "The resource cannot be found". The offending URL is repeated on the page, but without sanitizing it first.
The result is that when I query http://www.myserver.com/<h1>HELLO</h1> the HTML is included verbatim. I'm sure someone with more time can cause interesting XSS problems this way.
I've tried it on a few Mono sites that I know in production. Works on all of those who don't have a custom error page set up.