CVE-2022-28521 — CVSS 9.8 (critical): ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.
CVE-2022-28522 — CVSS 5.4 (medium): ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add.