The description states:  "nightfall is a born2root VM designed for beginners."

I have to say that I was sort of disappointed at the direction this went because I thought it was going one way and then it ended up going another.  I guess if I had given some attention to the description, I would have realized my direction is a little more than beginner but I guess that's also in the eye of the beholder.  Anyway, let's get after it...

Disclosure date:  9/23/19

Grav CMS v1.6.16 and possibly before are affected by numerous Cross Site Script vulnerabilities.  This vulnerability can be exploited with or without an authenticated account.  

All things considered, this is fairly benign as far as I can tell.  There are a number of built-in protections and I think this is just a small hole that would be difficult (for me) to exploit.  That said, I like the exercise.  

Disclosure date:  9/23/19

Gila CMS 1.11.3 and possibly before are affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection.  This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.