Jflyfox Jfinal Cms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Jflyfox Jfinal Cms.
By the Year
In 2026 there have been 0 vulnerabilities in Jflyfox Jfinal Cms. Last year, in 2025 Jfinal Cms had 1 security vulnerability published. Right now, Jfinal Cms is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.30 |
| 2024 | 0 | 0.00 |
| 2023 | 5 | 7.72 |
| 2022 | 35 | 7.71 |
| 2021 | 9 | 7.50 |
It may take a day or so for new Jfinal Cms vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jflyfox Jfinal Cms Security Vulnerabilities
CSRF via Logout param in jflyfox jfinal_cms 5.0.1
CVE-2025-6105
4.3 - Medium
- June 16, 2025
A vulnerability has been found in jflyfox jfinal_cms 5.0.1 and classified as problematic. This vulnerability affects unknown code of the file HOME.java. The manipulation of the argument Logout leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Session Riding
jflyfox JFinalCMS 5.1.0 Remote RCE via login.jsp
CVE-2023-47503
9.8 - Critical
- November 28, 2023
An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module.
Arbitrary File Read in jfinal CMS v5.1.0
CVE-2023-34645
7.5 - High
- June 16, 2023
jfinal CMS 5.1.0 has an arbitrary file read vulnerability.
Files or Directories Accessible to External Parties
RCE via ActionEnter in JFinal CMS 5.1.0
CVE-2023-30349
9.8 - Critical
- April 27, 2023
JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.
Jfinal CMS 5.1 XSS via /system/dict/list component
CVE-2023-24747
5.4 - Medium
- April 05, 2023
Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.
XSS
XSS in JFinal CMS v5.1.0 email param (front/person/profile.html)
CVE-2023-22975
6.1 - Medium
- February 03, 2023
A cross-site scripting (XSS) vulnerability in JFinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter under /front/person/profile.html.
XSS
SQLi via /admin/advicefeedback/list in JFinal CMS 5.1.0
CVE-2022-37202
8.8 - High
- October 26, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list
SQL Injection
SQLi in JFinal CMS 5.1.0 (via SQL concat)
CVE-2022-37208
8.8 - High
- October 13, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
SQL Injection
JFinal CMS 5.1.0 SQLi via Direct Query Concatenation
CVE-2022-37209
8.8 - High
- September 27, 2022
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
SQL Injection
JFinal CMS 5.1.0 SQLi via custom SQL concatenation
CVE-2022-37205
8.8 - High
- September 20, 2022
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
SQL Injection
SQL Injection in Final CMS 5.1.0
CVE-2022-37204
9.8 - Critical
- September 20, 2022
Final CMS 5.1.0 is vulnerable to SQL Injection.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via Direct SQL Concatenation
CVE-2022-37203
9.8 - Critical
- September 19, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
SQL Injection
JFinal CMS 5.1.0 SQL Injection vulnerability
CVE-2022-37201
8.8 - High
- September 15, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection.
SQL Injection
JFinal CMS 5.1.0 SQLi via multiple concat interfaces
CVE-2022-37207
8.8 - High
- September 15, 2022
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /admin/imagealbum/list
CVE-2022-38279
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/imagealbum/list.
SQL Injection
JFinal CMS 5.1.0 /system/department/list SQL Injection Vulnerability
CVE-2022-38284
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/department/list.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /system/menu/list
CVE-2022-38285
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/menu/list.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /system/role/list
CVE-2022-38286
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list.
SQL Injection
SQLi Vulnerability in JFinal CMS 5.1.0 via /admin/article/list
CVE-2022-38272
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /admin/article/list_approve
CVE-2022-38273
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list_approve.
SQL Injection
JFinal CMS 5.1.0 SQLi via /admin/comment/list
CVE-2022-38274
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/comment/list.
SQL Injection
SQL Injection in JFinal CMS 5.1.0 via /admin/contact/list
CVE-2022-38275
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/contact/list.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /admin/foldernotice/list
CVE-2022-38276
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/foldernotice/list.
SQL Injection
JFinal CMS 5.1.0 SQLi via /admin/folderrollpicture/list
CVE-2022-38277
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/folderrollpicture/list.
SQL Injection
SQLi via /admin/friendlylink/list in JFinal CMS 5.1.0
CVE-2022-38278
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/friendlylink/list.
SQL Injection
JFinal CMS 5.1.0 SQL Injection via /admin/image/list
CVE-2022-38280
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/image/list.
SQL Injection
SQL Injection in JFinal CMS 5.1.0 via /admin/site/list
CVE-2022-38281
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list.
SQL Injection
SQLi via /admin/videoalbum/list in JFinal CMS 5.1.0
CVE-2022-38282
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/videoalbum/list.
SQL Injection
JFinal CMS 5.1.0 SQLi via /admin/video/list CVE-2022-38283
CVE-2022-38283
7.2 - High
- September 09, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/video/list.
SQL Injection
JFinal CMS v5.1.0 XSS via Post Title in Publish Blog Module
CVE-2022-36527
5.4 - Medium
- August 25, 2022
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.
XSS
JFinal CMS 5.1.0 SQL Injection via /jfinal_cms/system/role/list
CVE-2022-37223
9.8 - Critical
- August 23, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.
SQL Injection
SQL Injection in JFinal CMS v5.1.0 via /jfinal_cms/system/user/list
CVE-2022-37199
9.8 - Critical
- August 23, 2022
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.
SQL Injection
SQL Injection in JFinal CMS v5.1.0 /system/user
CVE-2022-34928
8.8 - High
- August 03, 2022
JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.
SQL Injection
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML
CVE-2022-33113
5.4 - Medium
- June 23, 2022
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.
XSS
Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability
CVE-2022-33114
7.2 - High
- June 23, 2022
Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.
SQL Injection
A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0
CVE-2022-29648
5.4 - Medium
- June 02, 2022
A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.
XSS
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
CVE-2022-30500
9.8 - Critical
- May 26, 2022
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
SQL Injection
A command execution vulnerability exists in jfinal_cms 5.0.1
CVE-2021-42242
9.8 - Critical
- May 05, 2022
A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor.
Jfinal_cms 5.1.0 is vulnerable to SQL Injection
CVE-2022-28505
7.2 - High
- May 03, 2022
Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
SQL Injection
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
CVE-2022-27111
5.4 - Medium
- April 11, 2022
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
XSS
In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS
CVE-2021-46087
5.4 - Medium
- January 25, 2022
In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code.
XSS
JFinal_cms 5.1.0 is vulnerable to regex injection
CVE-2021-37262
7.5 - High
- December 16, 2021
JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service.
Injection
Improper access control in Jfinal CMS 5.1.0
CVE-2021-40639
7.5 - High
- September 15, 2021
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
Exposure of Resource to Wrong Sphere
Command Injection in Jfinal CMS v4.7.1 and earlier
CVE-2020-19151
- September 15, 2021
Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'.
Improper Access Control in Jfinal CMS v4.7.1 and earlier
CVE-2020-19146
- September 15, 2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'.
Improper Access Control in Jfinal CMS v4.7.1 and earlier
CVE-2020-19147
- September 15, 2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'.
Improper Access Control in Jfinal CMS v4.7.1 and earlier
CVE-2020-19150
- September 15, 2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'.
Improper Access Control in Jfinal CMS v4.7.1 and earlier
CVE-2020-19154
- September 15, 2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'.
Improper Access Control in Jfinal CMS v4.7.1 and earlier
CVE-2020-19155
- September 15, 2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component 'modules/filemanager/FileManagerController.java'.
Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier
CVE-2020-19148
- September 15, 2021
Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the 'Nickname' parameter in the component '/jfinal_cms/front/person/profile.html'.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jflyfox Jfinal Cms or by Jflyfox? Click the Watch button to subscribe.
