Jizhicms

jizhicms

39 CVEs • 1 product

Products (1)

Click to collapse

Toggle

Jizhicms

jizhicms

39 CVEs

CVEs (39)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-50229 1Jizhicms 1Jizhicms Apr 27, 2026 Apr 23, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
CVE-2025-50228 1Jizhicms 1Jizhicms Apr 14, 2026 Apr 9, 2026 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.
CVE-2026-29840 1Jizhicms 1Jizhicms Mar 25, 2026 Mar 24, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags bu...Show more JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.Show less
CVE-2026-3292 1Jizhicms 1Jizhicms Apr 29, 2026 Feb 27, 2026 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql...Show more A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-70397 1Jizhicms 1Jizhicms Feb 19, 2026 Feb 17, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter.
CVE-2020-37117 1Jizhicms 1Jizhicms Feb 24, 2026 Feb 5, 2026 8.6 HIGH· v4 8.8 HIGH· v3 N/A· v2 jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted...Show more jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.Show less
CVE-2025-14013 1Jizhicms 1Jizhicms Apr 29, 2026 Dec 4, 2025 1.9 LOW· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument...Show more A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-14012 1Jizhicms 1Jizhicms Apr 29, 2026 Dec 4, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing...Show more A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-14011 1Jizhicms 1Jizhicms Apr 29, 2026 Dec 4, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argu...Show more A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2639 1Jizhicms 1Jizhicms Mar 28, 2025 Mar 23, 2025 5.3 MEDIUM· v4 5.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to imp...Show more A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2638 1Jizhicms 1Jizhicms Apr 2, 2025 Mar 23, 2025 5.3 MEDIUM· v4 5.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument isho...Show more A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2637 1Jizhicms 1Jizhicms Apr 2, 2025 Mar 23, 2025 5.3 MEDIUM· v4 5.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. Th...Show more A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. The manipulation of the argument jifen leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-25785 1Jizhicms 1Jizhicms Apr 10, 2025 Feb 26, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request.
CVE-2025-25784 1Jizhicms 1Jizhicms Apr 10, 2025 Feb 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVE-2024-34255 1Jizhicms 1Jizhicms Jun 13, 2025 May 8, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function.
CVE-2024-33338 1Jizhicms 1Jizhicms Apr 23, 2025 Apr 29, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request.
CVE-2024-32161 1Jizhicms 1Jizhicms Apr 18, 2025 Apr 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 jizhiCMS 2.5 suffers from a File upload vulnerability.
CVE-2023-51154 1Jizhicms 1Jizhicms Jun 18, 2025 Jan 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php.
CVE-2023-50692 1Jizhicms 1Jizhicms Apr 17, 2025 Dec 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.
CVE-2023-43836 1Jizhicms 1Jizhicms Nov 21, 2024 Oct 2, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information

12 Next