Cirrusboard has been written to be as secure as possible, with all common attack vectors of a web application taken in mind. It has also been tested in a production scenario on Voxelmanip Forums and proven to be reasonably secure.
All queries in Cirrusboard that contain user input are constructed with prepared statements, making SQL injection close to impossible.
Cirrusboard makes use of the Twig templating engine, which treats all variables passed to the template as unsafe by default and sanitises them.
Arbitrary PHP execution
eval() (more like
evil()!) is used in the code.
However, if your web server is misconfigured PHP code might be able to be executed in profile pictures. You should make sure you have set up PHP in the proper way, which should never run PHP code for files without the .php extension (which profile pictures do not have).
No software is perfect, and mistakes may happen, whether it be caused by your configuration or Cirrusboard itself. As stated in the license Cirrusboard is provided AS IS without any warranty.
If you believe you have found a vulnerability in the Cirrusboard software, please responsibly disclose it privately to ROllerozxa.