CVE-2026-11473
Description
jfinal_cms versions up to 5.1.0 are vulnerable to SQL injection via the orderBy parameter in AdvicefeedbackController.java, allowing remote attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jfinal_cms versions up to 5.1.0 are vulnerable to SQL injection via the orderBy parameter in AdvicefeedbackController.java, allowing remote attacks.
Vulnerability
A SQL injection vulnerability exists in jfinal_cms versions up to 5.1.0, specifically within the list() function of AdvicefeedbackController.java. The orderBy parameter is directly concatenated into SQL queries without proper sanitization, allowing for manipulation.
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted request that manipulates the orderBy parameter. This parameter is used to control the sorting of data, and by injecting SQL commands, an attacker can alter the query's execution.
Impact
Successful exploitation of this SQL injection vulnerability allows an attacker to execute arbitrary SQL commands. This can lead to unauthorized access to sensitive data, modification of data, or even complete compromise of the database associated with the jfinal_cms application.
Mitigation
There is no publicly disclosed patch or fixed version available at this time. The project was informed of the vulnerability early through an issue report [2], but has not yet responded. Users are advised to monitor the project's GitHub repository [1] for updates. It is not listed on the CISA KEV catalog.
- GitHub - jflyfox/jfinal_cms: jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈…
- Multiple SQL Injection Vulnerabilities in JFinal CMS - Unfiltered orderBy Parameter
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=5.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application directly concatenates user-supplied input into SQL queries without proper sanitization."
Attack vector
An attacker can exploit this vulnerability by sending a crafted `orderBy` parameter to the `list()` function in `AdvicefeedbackController.java`. This parameter can contain malicious SQL code, which is then directly appended to the SQL query. The vulnerability can be exploited remotely, and it requires only low privileges to execute [ref_id=1]. The direct concatenation allows an attacker to manipulate the database query to their advantage.
Affected code
The vulnerability is present in the `list()` method of `AdvicefeedbackController.java` and several other controller files. Specifically, the code directly appends the `orderBy` parameter to the SQL query, such as in `AdvicefeedbackController.java` where `sql.append(" order by ").append(orderBy);` is used [ref_id=1]. Similar vulnerable code patterns are found in `DepartmentController.java`, `FriendlylinkController.java`, `ImageShowController.java`, `LogController.java`, and `ConfigController.java` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. The vulnerability exists due to the direct concatenation of the `orderBy` parameter into SQL queries in multiple controller files, including `AdvicefeedbackController.java` and `DepartmentController.java` [ref_id=1]. Without a patch, the application remains vulnerable to SQL injection through these parameters.
Preconditions
- authThe attacker needs low privileges to exploit the vulnerability.
- networkThe attack can be launched remotely.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.