Every CVE whose affected-product data names Jflyfox Jfinal Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (51)
CVE-2022-37203 — CVSS 9.8 (critical): JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses…
CVE-2023-47503 — CVSS 9.8 (critical): An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in…
CVE-2021-42242 — CVSS 9.8 (critical): A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor.
CVE-2023-30349 — CVSS 9.8 (critical): JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.
CVE-2024-53477 — CVSS 9.8 (critical): JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java
CVE-2022-37205 — CVSS 8.8 (high): JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its…
CVE-2022-37209 — CVSS 8.8 (high): JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its…
CVE-2022-37208 — CVSS 8.8 (high): JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses…
CVE-2022-37207 — CVSS 8.8 (high): JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its…
CVE-2020-19151 — CVSS 8.8 (high): Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template…
CVE-2020-19155 — CVSS 8.8 (high): Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary…
CVE-2020-19150 — CVSS 8.1 (high): Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of…
CVE-2021-40639 — CVSS 7.5 (high): Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemana…
CVE-2022-28505 — CVSS 7.2 (high): Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
CVE-2022-33114 — CVSS 7.2 (high): Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.
CVE-2020-19146 — CVSS 6.5 (medium): Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath'…
CVE-2020-19147 — CVSS 6.5 (medium): Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()'…
CVE-2020-19154 — CVSS 6.5 (medium): Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the…
CVE-2023-22975 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability in JFinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted…
CVE-2022-33113 — CVSS 5.4 (medium): Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field…
CVE-2022-27111 — CVSS 5.4 (medium): Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
CVE-2022-36527 — CVSS 5.4 (medium): Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field…
CVE-2023-24747 — CVSS 5.4 (medium): Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.
CVE-2021-46087 — CVSS 5.4 (medium): In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the…
CVE-2022-29648 — CVSS 5.4 (medium): A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted…
CVE-2020-19148 — CVSS 5.4 (medium): Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter…
CVE-2025-6105 — CVSS 4.3 (medium): A vulnerability has been found in jflyfox jfinal_cms 5.0.1 and classified as problematic. This vulnerability affects unknown code of the…