Basically anything that accepts data from a 3rd party is potentially exploitable, whether it requests this data (eg. a web browser, or a program that reads .pdf files), or it is sent it (email software, web server, etc). Anytime you run a program that takes in new data you are trusting the program to cope with whatever it's sent, it doesn't matter whether you are reading this data of a disk from a friend (does it has a Word Macro virus in the document) or allowing anyone on the internet to connect to your server you should be thinking about the implications for your computer's security.