Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized orderBy parameter in the list function of AdvicefeedbackController.java. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.
Technical ContextAI
jfinal_cms is a Java-based content management system built on the JFinal MVC framework. The vulnerable component is the list function within AdvicefeedbackController.java, which processes feedback listing requests and accepts a user-supplied orderBy parameter that is passed directly into a SQL query without proper parameterization or escaping. This is a textbook CWE-89 (Improper Neutralization of Special Elements used in SQL Command) flaw - ORDER BY clauses are particularly susceptible because they cannot be parameterized using standard prepared statement placeholders in most JDBC implementations, requiring explicit allowlist validation of sortable column names. The CPE cpe:2.3:a:jflyfox:jfinal_cms:*:*:*:*:*:*:*:* covers all tracked versions through 5.1.0. The impact scope is confined (SC:N/SI:N/SA:N), indicating no cross-component or downstream system compromise beyond the CMS database itself.
RemediationAI
No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the responsible disclosure submitted via GitHub issue #62. As a primary compensating control, deploy a web application firewall rule to intercept and sanitize or block requests to the feedback listing endpoint containing unsanitized SQL metacharacters in the orderBy parameter - note this may cause false positives if legitimate sort operations use complex expressions. Additionally, restrict the CMS database account to the minimum required privileges (SELECT only where applicable), which limits the blast radius of successful injection. Where operationally feasible, temporarily disable or restrict access to the AdviceFeedback listing feature until an upstream fix is released. Monitor the GitHub repository at https://github.com/jflyfox/jfinal_cms/ and VulDB entry https://vuldb.com/vuln/369093 for patch availability. Organizations with high-sensitivity data should evaluate forking the fix themselves by implementing an allowlist of permitted column names before the orderBy value is incorporated into the query.
More in Jfinal Cms
View allAn issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the log
JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function. Ra
Final CMS 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list. Rated critical severity (CVSS 9.8), th
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list. Rated critical severity (CVSS 9.8), th
Jfinal cms 5.1.0 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list. Rated high severity (CVSS 8.8), this vul
JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
JFinal CMS 5.1.0 is affected by: SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
JFinal CMS 5.1.0 is affected by: SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
JFinal CMS 5.1.0 is vulnerable to SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35004
GHSA-g33j-w4fc-53xg