CVE-2026-11473
MediumCVSS 6.3Summary
A vulnerability was identified in jflyfox jfinal_cms up to version 5.1.0, affecting the list function in the AdvicefeedbackController.java file. Manipulation of the argument orderBy leads to SQL injection.
Risk Assessment
An attacker can remotely exploit this vulnerability, potentially leading to unauthorized access to the database and data leakage.
Recommendation
It is recommended to update to the latest version of jflyfox jfinal_cms and to monitor logs for potential attack attempts.
Original NVD description (English source)
A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.

