MEDIUM 6.3

CVE-2026-11473: SQL Injection in jflyfox jfinal_cms AdvicefeedbackController

A SQL injection vulnerability exists in jflyfox jfinal_cms versions up to 5.1.0 that allows authenticated users to manipulate the orderBy parameter in the AdvicefeedbackController, potentially exposing or modifying database contents. The vulnerability requires valid login credentials but can be exploited over the network without user interaction once authenticated.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11473 is a SQL injection flaw affecting jflyfox jfinal_cms up to version 5.1.0 in the AdvicefeedbackController.java file. The orderBy parameter in the list function fails to properly sanitize user input before constructing SQL queries (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). This allows an authenticated attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) as well.

Business impact

This vulnerability could allow authenticated users within your organization—or attackers who have compromised credentials—to extract sensitive data from the CMS database, modify content, or disrupt system availability. If jfinal_cms is used to manage customer-facing content or internal documentation, data confidentiality and integrity are at risk. The medium severity rating reflects the requirement for authentication, but the attack surface remains significant in environments where user accounts are shared or credentials are weak.

Affected systems

jflyfox jfinal_cms versions up to and including 5.1.0 are affected. Organizations running earlier versions are also vulnerable. The project maintainers have not yet released a patch as of the vulnerability publication date; verify the latest available version and vendor advisory for patch status.

Exploitability

Exploitation requires valid authentication credentials (CVSS PR:L) but is otherwise straightforward: an attacker with login access can craft malicious orderBy parameters in list requests to the AdvicefeedbackController. No user interaction, special network access, or complex exploitation steps are needed. The attack vector is network-based and can be automated, making it attractive to insider threats or threat actors who have obtained credentials.

Remediation

Immediately contact jflyfox or monitor their repository for a patched version beyond 5.1.0. Until a patch is available, apply input validation and parameterized query practices to the AdvicefeedbackController. Consider restricting network access to the CMS to trusted networks and enforcing strong authentication policies to reduce the likelihood of credential compromise. Audit database logs for suspicious SQL patterns or unusual query activity.

Patch guidance

Check the official jflyfox jfinal_cms repository and release notes for versions newer than 5.1.0 that address this SQL injection. If the project has not released a patch, consider escalating internally to evaluate alternative CMS solutions or implementing compensating controls. Test any patch thoroughly in a non-production environment before deployment to ensure compatibility with your configuration.

Detection guidance

Monitor web server and application logs for unusual orderBy parameter values, especially those containing SQL keywords (UNION, SELECT, OR, DROP, etc.) or comment sequences (--,/*). Enable SQL query logging at the database layer to detect injected commands. Look for requests to AdvicefeedbackController endpoints originating from unexpected internal users or from outside normal business hours. Implement WAF rules to block common SQL injection patterns in query parameters.

Why prioritize this

While this vulnerability requires authentication and carries a MEDIUM CVSS score (6.3), it should be prioritized for rapid assessment and remediation because: (1) SQL injection poses direct risk to data confidentiality and integrity; (2) jfinal_cms is a content management system likely containing sensitive or high-value data; (3) the patch status remains unclear, leaving affected instances exposed; (4) credential compromise is common in real-world incidents, making the 'requires authentication' assumption less protective in practice.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects a network-accessible SQL injection that requires prior authentication, affects confidentiality, integrity, and availability, and does not require privilege escalation. The score is justified but should be elevated in risk prioritization if: your jfinal_cms instance handles payment, healthcare, or personal data; user accounts are numerous or credentials are shared; or historical logging suggests internal account compromise is plausible.

Frequently asked questions

Do we need to patch immediately if our jfinal_cms is behind a firewall and only accessible to employees?

Yes. While network isolation reduces attack surface, the requirement for authentication means insider threats—disgruntled employees, compromised workstations, or lateral movement from other breached systems—remain viable attack vectors. Patching or implementing strong compensating controls should not be deferred.

Is there a workaround if the vendor does not release a patch soon?

Implement parameterized queries in the AdvicefeedbackController if you have access to source code, apply a Web Application Firewall (WAF) rule to reject malformed orderBy parameters, and enforce strict input validation on all query parameters. These are temporary measures; upgrading or replacing the affected component should remain the primary goal.

How do I know if we've been exploited?

Search your database and application logs for SQL injection markers in orderBy parameters (UNION, subqueries, comment sequences). Check database audit logs for unexpected data access or modifications. Query access logs for AdvicefeedbackController requests with suspicious parameters. If you lack detailed logging, this is a key area to improve before patch deployment.

Is this vulnerability actively exploited in the wild?

As of publication, CVE-2026-11473 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed public exploit or active exploitation observed by government agencies. However, SQL injection flaws are well-understood attack vectors, and exploitation tools are readily available; do not interpret the absence of a KEV listing as evidence the vulnerability is difficult to exploit.

This analysis is based on vulnerability data published as of 2026-06-17 and vendor information available at that time. The jflyfox jfinal_cms project has not yet released a patch according to public information; verify current patch status and vendor advisories before remediation decisions. CVSS scores and CWE classifications are as provided by the vulnerability source and should be reviewed in the context of your environment and risk posture. SEC.co does not warranty the completeness or accuracy of patch versions referenced in external advisories; always consult official vendor releases for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).