controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the dirname variable.
finecms project finecms 5.0.11