Aggregates CVE and security vulnerability intelligence across all jizhicms-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk ssrf, and vendor risk path handling and related problems; some flaws may lead to vendor impact data exposure and vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-50229 | Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | [email protected] | 9.8 | 0.36% | 2026-04-23 | 2026-06-17 |
| CVE-2025-50228 | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | [email protected] | 9.1 | 0.27% | 2026-04-09 | 2026-06-17 |
| CVE-2026-29840 | JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html. | [email protected] | 5.4 | 0.17% | 2026-03-24 | 2026-06-17 |
| CVE-2026-3292 | A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.44% | 2026-02-27 | 2026-06-17 |
| CVE-2025-70397 | jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. | [email protected] | 7.2 | 0.34% | 2026-02-17 | 2026-06-17 |
| CVE-2020-37117 | jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. | [email protected] | 8.6 | 0.69% | 2026-02-05 | 2026-06-16 |
| CVE-2025-14013 | A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 1.9 | 0.23% | 2025-12-04 | 2026-06-17 |
| CVE-2025-14012 | A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.0 | 0.33% | 2025-12-04 | 2026-06-17 |
| CVE-2025-14011 | A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.0 | 0.33% | 2025-12-04 | 2026-06-17 |
| CVE-2025-2639 | A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.37% | 2025-03-22 | 2026-06-17 |
| CVE-2025-2638 | A vulnerability, which was classified as problematic, was found in JIZHICMS up to 1.7.0. This affects an unknown part of the file /user/release.html of the component Article Handler. The manipulation of the argument ishot with the input 1 leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.37% | 2025-03-22 | 2026-06-17 |
| CVE-2025-2637 | A vulnerability, which was classified as problematic, has been found in JIZHICMS up to 1.7.0. Affected by this issue is some unknown functionality of the file /user/userinfo.html of the component Account Profile Page. The manipulation of the argument jifen leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.36% | 2025-03-22 | 2026-06-17 |
| CVE-2025-25785 | JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request. | [email protected] | 9.1 | 0.41% | 2025-02-26 | 2026-06-17 |
| CVE-2025-25784 | An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file. | [email protected] | 9.8 | 1.00% | 2025-02-26 | 2026-06-17 |
| CVE-2024-34255 | jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in the message function. | [email protected] | 6.1 | 0.33% | 2024-05-08 | 2026-06-17 |
| CVE-2024-33338 | Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request. | [email protected] | 7.3 | 0.97% | 2024-04-29 | 2026-06-17 |
| CVE-2024-32161 | jizhiCMS 2.5 suffers from a File upload vulnerability. | [email protected] | 9.8 | 0.74% | 2024-04-17 | 2026-06-17 |
| CVE-2023-51154 | Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php. | [email protected] | 9.8 | 0.61% | 2024-01-04 | 2026-06-17 |
| CVE-2023-50692 | File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory. | [email protected] | 8.8 | 0.94% | 2023-12-28 | 2026-06-17 |
| CVE-2023-43836 | There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information | [email protected] | 6.5 | 0.60% | 2023-10-02 | 2026-06-17 |