CVE-2026-11473 | A vulnerability was identified in jflyfox jfinal_cms up to 5… | CVSS 6.3 MEDIUM

Description

A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.

Metadata

CVE ID: CVE-2026-11473
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-07 09:34 UTC
Published: 2026-06-08 00:45 UTC
Last updated: 2026-06-08 11:05 UTC
Primary CWE: CWE-89
SQL Injection
Vendor / Product: jflyfox / jfinal_cms
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
jflyfox	jfinal_cms	—	5.0, 5.1.0

Weakness (CWE)

CWE	Source	Description
CWE-74	cna	Injection
CWE-89	cna	SQL Injection

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.5	N/D	2.0	cna	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R
6.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

References (6)

VDB-369093 | jflyfox jfinal_cms AdvicefeedbackController.java list sql injection https://vuldb.com/vuln/369093
VDB-369093 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/369093/cti
CVE-2026-11473 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-11473
Submit #833907 | GitHub jfinal_cms 5.1.0 SQL https://vuldb.com/submit/833907
https://github.com/jflyfox/jfinal_cms/issues/62
https://github.com/jflyfox/jfinal_cms/