Description
Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
Published: 2026-04-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Immediate Patch
AI Analysis

Impact

Jizhicms v2.5.4 contains a critical SQL injection flaw in the product editing module. Attackers can inject arbitrary SQL commands, enabling them to read, modify, or delete data stored in the database. The vulnerability could lead to unauthorized disclosure of sensitive information and compromise the integrity of the system’s data. Based on the description, the flaw is likely exploitable through the product editing interface, which may be accessed by authenticated users with permission to edit products.

Affected Systems

Only Jizhicms version 2.5.4 is known to be affected, as indicated by the CPE string cpe:2.3:a:jizhicms:jizhicms:2.5.4. Administrators should verify whether their installations run this exact release, as earlier or later versions may not contain the flaw.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as critical. Although the EPSS score is less than 1%, suggesting that exploitation is not yet widespread, the high severity combined with the potential for data exposure necessitates prompt action. The vulnerability is not listed in the CISA KEV catalog, but the absence does not reduce its risk. Attacks would likely target the product editing module, possibly requiring authorization, and could result in data theft or tampering.

Generated by OpenCVE AI on April 28, 2026 at 07:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched version of Jizhicms that eliminates the SQL injection flaw.
  • Use parameterized queries or prepared statements for all database interactions in the product editing module to prevent injection.
  • Restrict access to the product editing interface to privileged users and enforce least privilege.
  • Enable application‑level logging and monitor for suspicious SQL activity.

Generated by OpenCVE AI on April 28, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Critical SQL Injection in Jizhicms Product Editing Module

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Jizhicms
Jizhicms jizhicms
CPEs cpe:2.3:a:jizhicms:jizhicms:2.5.4:*:*:*:*:*:*:*
Vendors & Products Jizhicms
Jizhicms jizhicms

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.
References

Subscriptions

Jizhicms Jizhicms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T18:33:51.153Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-50229

cve-icon Vulnrichment

Updated: 2026-04-24T18:32:07.064Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T16:16:23.593

Modified: 2026-04-27T18:24:45.560

Link: CVE-2025-50229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses