SeaCMS 6.64 and 7.2 allows remote malicious users to delete arbitrary files via the filedir parameter.
seacms seacms 6.64
seacms seacms 7.2