ZCMS v20170206 exists to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add.
zcms project zcms 20170206