There is a Local File Inclusion / Arbitrary File Upload bug in CMSimple, which is being exploited by hackers.
If your webhotel runs with register globals on (only a few does), you are strongly advised to update CMSimple to the download available at cmsimple.org / cmsimple.com (version 3.1 - in top of cms.php added "SECURITY BUG FIX JUNE 1.2008").
The bug fix is at line 70 in cms.php:
$pth['file']['language'] = $pth['folder']['language'].$sl.'.php';
basename function is to be added to $sl:
$pth['file']['language'] = $pth['folder']['language'].basename($sl).'.php';
On Linux/Apache you can sometimes turn off register_globals by uploading a .htaccess file in webroot with "php_flag register_globals off".