No-CMS version 1.0 contains a SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint. The vulnerability allows authenticated attackers to manipulate database queries by submitting malicious POST requests to the /nocms/main/manage_privilege/index/export endpoint. Attackers can exploit the order_by[0] parameter to inject malicious SQL code and extract sensitive database information. This vulnerability affects the privilege management functionality of the No-CMS content management system and requires authentication to exploit.