CVE-2026-11473
Deferred Deferred - Pending Action
SQL Injection in jfinal_cms up to 5.1.0

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11473
EUVD
EUVD-2026-35004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jflyfox jfinal_cms to 5.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves multiple SQL injection issues due to unsanitized input in the orderBy parameter, which can allow attackers to manipulate database queries remotely.

Such SQL injection vulnerabilities can lead to unauthorized access, data leakage, or data manipulation, potentially compromising sensitive personal or protected health information.

This can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of sensitive information.

However, the provided context and resources do not explicitly discuss the impact on compliance with these standards.

Executive Summary

CVE-2026-11473 is a SQL injection vulnerability found in the jflyfox jfinal_cms project, specifically affecting the list method of the AdvicefeedbackController.java file among others.

The vulnerability arises because the application directly appends the 'orderBy' parameter from user input into SQL queries without any sanitization or validation.

This lack of input filtering allows an attacker to manipulate the SQL query by injecting malicious SQL code through the 'orderBy' argument, potentially compromising the database.

Impact Analysis

This SQL injection vulnerability can allow remote attackers to execute arbitrary SQL commands on the affected system.

  • Attackers could manipulate database queries to access, modify, or delete sensitive data.
  • It may lead to unauthorized data disclosure or corruption.
  • The integrity and availability of the database could be compromised.
  • Such attacks can also be used as a foothold for further exploitation of the system.
Detection Guidance

This vulnerability involves SQL injection through the unsanitized use of the `orderBy` parameter in several controller classes of jfinal_cms. Detection can focus on monitoring or testing for SQL injection attempts targeting the `orderBy` parameter in HTTP requests to affected endpoints.

You can detect potential exploitation by capturing and analyzing HTTP requests that include the `orderBy` parameter with suspicious or unexpected SQL syntax.

Suggested commands for detection include using tools like curl or sqlmap to test the vulnerable endpoints. For example:

  • Using curl to send a request with a suspicious `orderBy` parameter: curl -v 'http://targetsite/path/to/AdvicefeedbackController/list?orderBy=1;DROP TABLE users--'
  • Using sqlmap to test for SQL injection on the `orderBy` parameter: sqlmap -u 'http://targetsite/path/to/AdvicefeedbackController/list?orderBy=1' --param-filter='orderBy'

Additionally, monitoring logs for unusual SQL errors or unexpected query behavior related to the `orderBy` parameter can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting or sanitizing the `orderBy` parameter input to prevent SQL injection.

Since the vulnerability stems from direct concatenation of the `orderBy` parameter into SQL queries without validation, you should:

  • Implement strict input validation or whitelist acceptable values for the `orderBy` parameter.
  • Use parameterized queries or prepared statements instead of direct string concatenation for SQL commands.
  • If possible, temporarily disable or restrict access to the affected controller methods until a patch or fix is available.

Monitoring and logging access to these endpoints can also help detect and respond to exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart