Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an administrator.
gxlcms gxlcms 2.0