Skip to main content

jfinal_cms CVE-2026-11473

| EUVDEUVD-2026-35004 MEDIUM
SQL Injection (CWE-89)
2026-06-08 VulDB GHSA-g33j-w4fc-53xg
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 01:28 vuln.today
CVSS changed
Jun 08, 2026 - 01:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized orderBy parameter in the list function of AdvicefeedbackController.java. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.

Technical ContextAI

jfinal_cms is a Java-based content management system built on the JFinal MVC framework. The vulnerable component is the list function within AdvicefeedbackController.java, which processes feedback listing requests and accepts a user-supplied orderBy parameter that is passed directly into a SQL query without proper parameterization or escaping. This is a textbook CWE-89 (Improper Neutralization of Special Elements used in SQL Command) flaw - ORDER BY clauses are particularly susceptible because they cannot be parameterized using standard prepared statement placeholders in most JDBC implementations, requiring explicit allowlist validation of sortable column names. The CPE cpe:2.3:a:jflyfox:jfinal_cms:*:*:*:*:*:*:*:* covers all tracked versions through 5.1.0. The impact scope is confined (SC:N/SI:N/SA:N), indicating no cross-component or downstream system compromise beyond the CMS database itself.

RemediationAI

No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the responsible disclosure submitted via GitHub issue #62. As a primary compensating control, deploy a web application firewall rule to intercept and sanitize or block requests to the feedback listing endpoint containing unsanitized SQL metacharacters in the orderBy parameter - note this may cause false positives if legitimate sort operations use complex expressions. Additionally, restrict the CMS database account to the minimum required privileges (SELECT only where applicable), which limits the blast radius of successful injection. Where operationally feasible, temporarily disable or restrict access to the AdviceFeedback listing feature until an upstream fix is released. Monitor the GitHub repository at https://github.com/jflyfox/jfinal_cms/ and VulDB entry https://vuldb.com/vuln/369093 for patch availability. Organizations with high-sensitivity data should evaluate forking the fix themselves by implementing an allowlist of permitted column names before the orderBy value is incorporated into the query.

CVE-2023-47503 CRITICAL POC
9.8 Nov 28

An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the log

CVE-2023-30349 CRITICAL POC
9.8 Apr 27

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function. Ra

CVE-2022-37204 CRITICAL POC
9.8 Sep 20

Final CMS 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2022-37203 CRITICAL POC
9.8 Sep 19

JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2022-37223 CRITICAL POC
9.8 Aug 23

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list. Rated critical severity (CVSS 9.8), th

CVE-2022-37199 CRITICAL POC
9.8 Aug 23

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list. Rated critical severity (CVSS 9.8), th

CVE-2022-30500 CRITICAL POC
9.8 May 26

Jfinal cms 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2022-37202 HIGH POC
8.8 Oct 26

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list. Rated high severity (CVSS 8.8), this vul

CVE-2022-37208 HIGH POC
8.8 Oct 13

JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2022-37209 HIGH POC
8.8 Sep 27

JFinal CMS 5.1.0 is affected by: SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2022-37205 HIGH POC
8.8 Sep 20

JFinal CMS 5.1.0 is affected by: SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2022-37201 HIGH POC
8.8 Sep 15

JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

Share

CVE-2026-11473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy