It's been brought to our attention that there is a potential SQL injection bug in stylesheet.php. We were due to release 1.0.6 anyway, but this just made us rush out a release as soon as we were notified. My suggestion is to update AS SOON AS POSSIBLE. If for some reason you can't then at the very least, replace your stylesheet.php with this file: http://svn.cmsmadesimple.org/svn/cmsmadesimple/tags/version-1.0.6/stylesheet.php. This flaw has been in the code for awhile, so if anyone has a legacy version and wants to know if they need a patch and how to do it, let us know in IRC or email. Here is the ChangeLog:

 - Fixes a potential SQL injection hole in stylesheet.php - A new installer that uses smarty templates and classes. it doesn't look much better atm, but does have alot more power and is alot cleaner for the future. - Show the footer on tags about and help pages - Fixes to the expression that caused session_start to not always be called. - Fixes for errors in get_template_vars with newer php versions - (important) Fixes a problem where the wrong module could be unloaded from memory if module files had been deleted manually, without explicitly uninstalling the module first. - Fixes to the safe mode tests - Fixes for open_basedir issues in ImageManager - Repeated quick reloads should no longer violate the 'cachable' page property. - Add a download link for the admin log - Fixes for the umask test in global settings 

Thanks! Sorry for the alarm, but we want to get this resolved as soon as possible.