flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.php due to the use of $_SERVER['PHP_SELF'] to build links and a stored XSS in the admin log panel by specifying a malformed User-Agent string.

SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.

CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.

SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.