Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request.Referenceshttps://github.com/dignajar/nibbleblog/issues/138
