An issue in Lepton CMS v.7.0.0 allows a local malicious user to execute arbitrary code via the upgrade.php file in the languages place.