CVE-2023-50137
Description
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JFinalcms 5.0.0 is vulnerable to stored cross-site scripting (XSS) in the site management office, allowing arbitrary JavaScript execution.
CVE-2023-50137 describes a stored cross-site scripting (XSS) vulnerability in JFinalcms version 5.0.0. The flaw resides in the site management office functionality, where unsanitized input can be persistently stored and later executed in the browsers of administrators. [1][2]
An attacker with low-privileged access or the ability to submit data to the site management office can inject malicious scripts. Stored XSS does not require social engineering of the victim, as the malicious payload is automatically served when a legitimate user visits the affected page. [3]
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or defacement of the administrative interface. [3]
As of the advisory, no official patch has been released; however, the project is openly available on GitHub. Administrators should review the site management input handling and consider applying input validation and output encoding as a workaround. [1][2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.jfinal:jfinalMaven | <= 5.0.0 | — |
Affected products
2- JFinalcms/JFinalcmsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.