acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via directory traversal in the delete parameter to acp/acp.php. The risk might be limited to requests submitted through CSRF.Referenceshttps://github.com/flatCore/flatCore-CMS/issues/30
