{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-50229", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T18:33:51.153Z", "dateReserved": "2025-06-16T00:00:00.000Z", "datePublished": "2026-04-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T14:59:54.460Z"}, "descriptions": [{"lang": "en", "value": "Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Cherry-toto/jizhicms"}, {"url": "http://jizhicms.cn"}, {"url": "https://github.com/Cherry-toto/jizhicms/issues/105"}, {"url": "https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "references": [{"url": "https://github.com/Cherry-toto/jizhicms/issues/105", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:31:36.504003Z", "id": "CVE-2025-50229", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:33:51.153Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-50229", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T18:33:51.153Z", "dateReserved": "2025-06-16T00:00:00.000Z", "datePublished": "2026-04-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T14:59:54.460Z"}, "descriptions": [{"lang": "en", "value": "Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Cherry-toto/jizhicms"}, {"url": "http://jizhicms.cn"}, {"url": "https://github.com/Cherry-toto/jizhicms/issues/105"}, {"url": "https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-50229", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T18:31:36.504003Z"}}}], "references": [{"url": "https://github.com/Cherry-toto/jizhicms/issues/105", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:32:07.064Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jizhicms:jizhicms:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A6DA195-4F19-4389-A7AE-D6782136A2A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module."}], "id": "CVE-2025-50229", "lastModified": "2026-04-27T18:24:45.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T16:16:23.593", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://jizhicms.cn"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/Cherry-toto/jizhicms"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/Cherry-toto/jizhicms/issues/105"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/Cherry-toto/jizhicms/issues/105"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.5.4"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jizhicms", "vendor": "jizhicms"}], "analysis": {"en": {"generated_at": "2026-04-28T07:47:16.648239+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest patched version of Jizhicms that eliminates the SQL injection flaw.", "Use parameterized queries or prepared statements for all database interactions in the product editing module to prevent injection.", "Restrict access to the product editing interface to privileged users and enforce least privilege.", "Enable application\u2011level logging and monitor for suspicious SQL activity."], "summary": {"action": "Immediate Patch", "impact": "Data Breach"}, "threat_synthesis": {"affected_systems": "Only Jizhicms version 2.5.4 is known to be affected, as indicated by the CPE string cpe:2.3:a:jizhicms:jizhicms:2.5.4. Administrators should verify whether their installations run this exact release, as earlier or later versions may not contain the flaw.", "description_and_impact": "Jizhicms v2.5.4 contains a critical SQL injection flaw in the product editing module. Attackers can inject arbitrary SQL commands, enabling them to read, modify, or delete data stored in the database. The vulnerability could lead to unauthorized disclosure of sensitive information and compromise the integrity of the system\u2019s data. Based on the description, the flaw is likely exploitable through the product editing interface, which may be accessed by authenticated users with permission to edit products.", "risk_and_exploitability": "The CVSS score of 9.8 marks this issue as critical. Although the EPSS score is less than 1%, suggesting that exploitation is not yet widespread, the high severity combined with the potential for data exposure necessitates prompt action. The vulnerability is not listed in the CISA KEV catalog, but the absence does not reduce its risk. Attacks would likely target the product editing module, possibly requiring authorization, and could result in data theft or tampering."}}}}, "created": "2026-04-27T19:30:11.876248+00:00", "title": "Critical SQL Injection in Jizhicms Product Editing Module", "updated": "2026-04-28T08:00:14.322060+00:00", "vendors": ["jizhicms", "jizhicms$PRODUCT$jizhicms"]}