In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.
fiyo fiyo cms 2.0.6.1