Googling 60cycleCMS these days brings up a few "security vulnerabilities" that, at first glance, are somewhat alarming. The first alleged vulnerability is generally described as an HTML injection or a persistent XSS (cross-site scripting) vulnerability. Here's a link to a report (the reports tend to multiply across the web, so there are other sites describing the same exploit).
I'm all for transparency and openness in coding, and I'm glad people take time to expose vulnerabilities in others' code. However, this XSS "vulnerability" really needs to be put in context.
The second supposed vulnerability is a remote file inclusion vulnerability. Here's a link. Originally posted over at exploit-db.com, this exploit claimed that you could include a remote file in the PHP powering the CMS, thus allowing you to execute arbitrary code on the webserver. The "exploit" centered around overwriting the $_SERVER variable so that the CMS would load the config.php file from another location besides the usual (one level above website root). This vulnerability is just plain false. PHP does not allow a remote user to override the $_SERVER variable, for obvious reasons. There's an email thread discussing this in more detail here. The exploit has been removed from ExploitDB (I can only assume because it is incorrect), but a few sites around the web still have it up.
The point is, don't believe everything you read on the web. It would seem there's people out there trying to make us think they're l33t hackers by exposing security vulnerabilities when, in reality, they don't do their homework and are sometimes just plain wrong. If you do have any concerns about the security of 60cycleCMS, please contact me or leave a comment, and I will be happy to discuss your concerns.