CVE-2026-11473

EUVD-2026-35004
A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulDBCNA
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
jflyfoxjfinal_cms
5.0
CNA
jflyfoxjfinal_cms
5.1.0
CNA
Common Weakness Enumeration
References
https://github.com/jflyfox/jfinal_cms/
https://github.com/jflyfox/jfinal_cms/issues/62
https://vuldb.com/cve/CVE-2026-11473
https://vuldb.com/submit/833907
https://vuldb.com/vuln/369093
https://vuldb.com/vuln/369093/cti