FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.
flamecms project flamecms 3.3.5