CVE-2026-6978
Received Received - Intake
SQL Injection in JiZhiCMS addcache.html Enables Remote Exploit

Publication date: 2026-04-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in JiZhiCMS up to 2.5.6. The impacted element is the function htmlspecialchars_decode of the file /index.php/admins/Sys/addcache.html. The manipulation of the argument sqls results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qingyun985 jizhicms to 2.5.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in JiZhiCMS 2.5.6 allows remote SQL injection, which can lead to unauthorized access, modification, or extraction of sensitive data stored in the database.

Such unauthorized data access or breaches can compromise the confidentiality and integrity of personal or sensitive information, potentially violating data protection regulations like GDPR or HIPAA that require safeguarding of personal data.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to failure to adequately protect sensitive data from unauthorized access.

Mitigation Strategies

To mitigate the SQL injection vulnerability in JiZhiCMS up to version 2.5.6, immediate steps include avoiding the use of the vulnerable functionality that processes the 'sqls' parameter in the /index.php/admins/Sys/addcache.html route.

Specifically, restrict or disable access to the back-end management interface section Extension Management β†’ Fragmentation β†’ Add Fragment, where the vulnerable htmlspecialchars_decode function is used without proper input sanitization.

Additionally, avoid running automated or batch testing tools against this endpoint to prevent unintended impacts, as the vulnerability can be exploited remotely and the exploit is publicly known.

If possible, apply input validation and sanitization or use parameterized queries to prevent SQL injection until an official patch or update is available.

Executive Summary

This vulnerability in JiZhiCMS version 2.5.6 is a SQL injection flaw caused by improper handling of user input. Specifically, the function htmlspecialchars_decode is used to decode input from the sqls parameter, which is then directly concatenated into SQL queries without proper sanitization or parameterization.

The vulnerable code is located in the back-end management interface under Extension Management β†’ Fragmentation β†’ Add Fragment, at the route /index.php/admins/Sys/addcache.html.

Attackers can remotely exploit this by injecting arbitrary SQL code into the sqls parameter, allowing them to perform actions such as extracting database information or causing delays to confirm the injection via time-based blind SQL injection techniques.

Impact Analysis

This SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the affected JiZhiCMS database remotely.

  • Attackers can extract sensitive information such as database names and contents.
  • They may manipulate or delete data, potentially causing data loss or corruption.
  • The vulnerability can be used to disrupt service or gain further unauthorized access.
Detection Guidance

This vulnerability can be detected by testing the sqls parameter in HTTP requests sent to the route /index.php/admins/Sys/addcache.html for SQL injection.

A common detection method is to use time-based blind SQL injection payloads such as '1 and sleep(2)--' and observe if the server response is delayed by the sleep time, indicating vulnerability.

More advanced detection involves extracting database information by injecting payloads like '1 and if(ascii(substr(database(),1,1))=106,sleep(3),0)--' to confirm the vulnerability and gather details.

It is important to avoid batch testing with automated tools to prevent unintended impacts on the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart