No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "keyword" parameter.
no-cms project no-cms 1.1.3