An issue exists in PbootCMS. There is a SQL injection via the api.php/List/index order parameter.
pbootcms pbootcms -