CVE-2020-19705

thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.