Direct code injection vulnerability in FlatNuke 2.5.1 allows remote malicious users to execute arbitrary PHP code by placing the code into the url_avatar field.
flatnuke flatnuke 2.5.1