Vendor CVEs
Jizhicms
All CVEs
40 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-50229 | Cri | 0.64 | 9.8 | 0.00 | Apr 23, 2026 | Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | ||
| CVE-2025-50228 | Cri | 0.52 | 9.1 | 0.00 | Apr 9, 2026 | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | ||
| CVE-2026-3292 | Med | 0.41 | 6.3 | 0.00 | Feb 27, 2026 | A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out… | ||
| CVE-2026-6978 | Med | 0.31 | 4.7 | 0.00 | Apr 25, 2026 | A vulnerability was detected in JiZhiCMS up to 2.5.6. The impacted element is the function htmlspecialchars_decode of the file /index.php/admins/Sys/addcache.html. The manipulation of the argument sqls results in sql injection. It is possible to launch the attack remotely. The… | ||
| CVE-2025-14012 | Med | 0.31 | 4.7 | 0.00 | Dec 4, 2025 | A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing a manipulation can lead to sql injection. The attack can… | ||
| CVE-2025-14011 | Med | 0.31 | 4.7 | 0.00 | Dec 4, 2025 | A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be… | ||
| CVE-2025-14013 | Low | 0.16 | 2.4 | 0.00 | Dec 4, 2025 | A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be… | ||
| CVE-2026-29840 | 0.00 | — | 0.00 | Mar 24, 2026 | JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering tags but fails to recursively remove dangerous event handlers in… | |||
| CVE-2025-70397 | 0.00 | — | 0.00 | Feb 17, 2026 | jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. | |||
| CVE-2020-37117 | 0.00 | — | 0.01 | Feb 5, 2026 | jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url… | |||
| CVE-2025-2639 | 0.00 | — | 0.00 | Mar 23, 2025 | A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely.… | |||
| CVE-2025-2638 | 0.00 | — | 0.00 | Mar 23, 2025 | A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is… | |||
| CVE-2025-2637 | 0.00 | — | 0.00 | Mar 23, 2025 | A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. The manipulation of the argument jifen leads to improper… | |||
| CVE-2025-25784 | 0.00 | — | 0.01 | Feb 26, 2025 | An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file. | |||
| CVE-2025-25785 | 0.00 | — | 0.00 | Feb 26, 2025 | JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request. | |||
| CVE-2024-34255 | 0.00 | — | 0.00 | May 8, 2024 | jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function. | |||
| CVE-2024-33338 | 0.00 | — | 0.01 | Apr 29, 2024 | Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request. | |||
| CVE-2024-32161 | 0.00 | — | 0.01 | Apr 17, 2024 | jizhiCMS 2.5 suffers from a File upload vulnerability. | |||
| CVE-2023-51154 | 0.00 | — | 0.01 | Jan 4, 2024 | Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php. | |||
| CVE-2023-50692 | 0.00 | — | 0.01 | Dec 28, 2023 | File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory. | |||
| CVE-2023-43836 | 0.00 | — | 0.01 | Oct 2, 2023 | There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information | |||
| CVE-2023-38948 | 0.00 | — | 0.01 | Aug 3, 2023 | An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin. | |||
| CVE-2023-2927 | 0.00 | — | 0.01 | May 27, 2023 | A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The… | |||
| CVE-2023-31862 | 0.00 | — | 0.00 | May 19, 2023 | jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by… | |||
| CVE-2023-27235 | 0.00 | — | 0.01 | Mar 15, 2023 | An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file. | |||
| CVE-2023-27234 | 0.00 | — | 0.00 | Mar 15, 2023 | A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application. | |||
| CVE-2021-36484 | 0.00 | — | 0.01 | Feb 3, 2023 | SQL injection vulnerability in JIZHICMS 1.9.5 allows attackers to run arbitrary SQL commands via add or edit article page. | |||
| CVE-2022-45278 | 0.00 | — | 0.01 | Nov 23, 2022 | Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component. | |||
| CVE-2021-29334 | 0.00 | — | 0.00 | Nov 23, 2022 | An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html | |||
| CVE-2022-44140 | 0.00 | — | 0.01 | Nov 23, 2022 | Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /Member/memberedit.html component. | |||
| CVE-2022-36578 | 0.00 | — | 0.01 | Aug 19, 2022 | jizhicms v2.3.1 has SQL injection in the background. | |||
| CVE-2022-36577 | 0.00 | — | 0.00 | Aug 19, 2022 | An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin. | |||
| CVE-2022-31393 | 0.00 | — | 0.01 | Jun 9, 2022 | Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php. | |||
| CVE-2022-31390 | 0.00 | — | 0.01 | Jun 9, 2022 | Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php. | |||
| CVE-2022-27429 | 0.00 | — | 0.01 | Apr 25, 2022 | Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. | |||
| CVE-2020-21228 | 0.00 | — | 0.01 | Oct 1, 2021 | JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie. | |||
| CVE-2020-21483 | 0.00 | — | 0.02 | Sep 15, 2021 | An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file. | |||
| CVE-2020-23644 | 0.00 | — | 0.01 | Jan 11, 2021 | XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php. | |||
| CVE-2020-23643 | 0.00 | — | 0.01 | Jan 11, 2021 | XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php. | |||
| CVE-2019-17593 | 0.00 | — | 0.00 | Oct 14, 2019 | JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator. |
- risk 0.64cvss 9.8epss 0.00
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
- risk 0.52cvss 9.1epss 0.00
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was detected in JiZhiCMS up to 2.5.6. The impacted element is the function htmlspecialchars_decode of the file /index.php/admins/Sys/addcache.html. The manipulation of the argument sqls results in sql injection. It is possible to launch the attack remotely. The…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing a manipulation can lead to sql injection. The attack can…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be…
- risk 0.16cvss 2.4epss 0.00
A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be…
- CVE-2026-29840Mar 24, 2026risk 0.00cvss —epss 0.00
JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering tags but fails to recursively remove dangerous event handlers in…
- CVE-2025-70397Feb 17, 2026risk 0.00cvss —epss 0.00
jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter.
- CVE-2020-37117Feb 5, 2026risk 0.00cvss —epss 0.01
jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url…
- CVE-2025-2639Mar 23, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely.…
- CVE-2025-2638Mar 23, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is…
- CVE-2025-2637Mar 23, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. The manipulation of the argument jifen leads to improper…
- CVE-2025-25784Feb 26, 2025risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
- CVE-2025-25785Feb 26, 2025risk 0.00cvss —epss 0.00
JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request.
- CVE-2024-34255May 8, 2024risk 0.00cvss —epss 0.00
jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function.
- CVE-2024-33338Apr 29, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request.
- CVE-2024-32161Apr 17, 2024risk 0.00cvss —epss 0.01
jizhiCMS 2.5 suffers from a File upload vulnerability.
- CVE-2023-51154Jan 4, 2024risk 0.00cvss —epss 0.01
Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php.
- CVE-2023-50692Dec 28, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.
- CVE-2023-43836Oct 2, 2023risk 0.00cvss —epss 0.01
There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information
- CVE-2023-38948Aug 3, 2023risk 0.00cvss —epss 0.01
An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.
- CVE-2023-2927May 27, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in JIZHICMS 2.4.5. It has been classified as critical. Affected is the function index of the file TemplateController.php. The manipulation of the argument webapi leads to server-side request forgery. It is possible to launch the attack remotely. The…
- CVE-2023-31862May 19, 2023risk 0.00cvss —epss 0.00
jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by…
- CVE-2023-27235Mar 15, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file.
- CVE-2023-27234Mar 15, 2023risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application.
- CVE-2021-36484Feb 3, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in JIZHICMS 1.9.5 allows attackers to run arbitrary SQL commands via add or edit article page.
- CVE-2022-45278Nov 23, 2022risk 0.00cvss —epss 0.01
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component.
- CVE-2021-29334Nov 23, 2022risk 0.00cvss —epss 0.00
An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html
- CVE-2022-44140Nov 23, 2022risk 0.00cvss —epss 0.01
Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /Member/memberedit.html component.
- CVE-2022-36578Aug 19, 2022risk 0.00cvss —epss 0.01
jizhicms v2.3.1 has SQL injection in the background.
- CVE-2022-36577Aug 19, 2022risk 0.00cvss —epss 0.00
An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin.
- CVE-2022-31393Jun 9, 2022risk 0.00cvss —epss 0.01
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php.
- CVE-2022-31390Jun 9, 2022risk 0.00cvss —epss 0.01
Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php.
- CVE-2022-27429Apr 25, 2022risk 0.00cvss —epss 0.01
Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.
- CVE-2020-21228Oct 1, 2021risk 0.00cvss —epss 0.01
JIZHICMS 1.5.1 contains a cross-site scripting (XSS) vulnerability in the component /user/release.html, which allows attackers to arbitrarily add an administrator cookie.
- CVE-2020-21483Sep 15, 2021risk 0.00cvss —epss 0.02
An arbitrary file upload vulnerability in Jizhicms v1.5 allows attackers to execute arbitrary code via a crafted .jpg file which is later changed to a PHP file.
- CVE-2020-23644Jan 11, 2021risk 0.00cvss —epss 0.01
XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php.
- CVE-2020-23643Jan 11, 2021risk 0.00cvss —epss 0.01
XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php.
- CVE-2019-17593Oct 14, 2019risk 0.00cvss —epss 0.00
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.