admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote malicious users to delete arbitrary files via action=del&filename=../ directory traversal.
zzcms zzcms 2018