thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.
thinkphp-zcms project thinkphp-zcms 2019-07-15