Cyber Resilience

CVE-2025-50228

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0027 19.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-50228 is a critical-severity SSRF (CWE-918) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50228 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Jizhicms version 2.5.4 in its User Evaluation, Message, and Comment modules. Published on 2026-04-09T15:16:07.433, the issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

Unauthenticated attackers can exploit this SSRF remotely by tricking the server into making unauthorized requests, potentially to internal systems or external services. Exploitation enables high-impact confidentiality and integrity violations, such as accessing sensitive data or forging requests that alter server behavior, while availability remains unaffected.

Advisories and related resources include the Jizhicms GitHub repository at https://github.com/Cherry-toto/jizhicms, an open issue at https://github.com/Cherry-toto/jizhicms/issues/104, and the official website https://www.jizhicms.cn, which may provide further details on patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in a public-facing web app directly enables remote exploitation of the application without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25785Same product: Jizhicms Jizhicms
CVE-2025-50229Same product: Jizhicms Jizhicms
CVE-2025-70397Same product: Jizhicms Jizhicms
CVE-2026-3292Same product: Jizhicms Jizhicms
CVE-2025-25784Same product: Jizhicms Jizhicms
CVE-2020-37117Same product: Jizhicms Jizhicms
CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918

Affected Assets

jizhicms
jizhicms
2.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SSRF by validating user inputs in the User Evaluation, Message, and Comment modules to reject malicious URLs or parameters that trigger unauthorized server requests.

prevent

Addresses the specific SSRF flaw in Jizhicms v2.5.4 by requiring timely identification, reporting, and patching of the vulnerability in the affected modules.

preventdetect

Mitigates SSRF exploitation by monitoring and controlling outbound communications at system boundaries to block unauthorized requests to internal or external systems.

References