PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
http://secunia.com/advisories/16654/
http://marc.info/?l=bugtraq&m=112552342004406&w=2
http://forum.cmsmadesimple.org/index.php/topic%2C1549.0.html