SQL injection vulnerability in the navigation module (navigationmodule) in Exponent CMS 0.96.3 and later versions allows remote attackers to execute arbitrary SQL commands via the parent parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/23109
http://www.securityfocus.com/bid/15389