flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string.

Cross site scripting (XSS) vulnerability in pages.edit_form.php in flatCore 1.4.6 allows remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.

SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.

CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.

SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.