Cyber Resilience

CVE-2025-50229

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-50229 is a critical-severity SQL Injection (CWE-89) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Jizhicms v2.5.4 contains a SQL injection vulnerability (CWE-89) in its product editing module, as identified by CVE-2025-50229. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability. The vulnerability affects the open-source Jizhicms content management system, specifically version 2.5.4.

An unauthenticated attacker with network access can exploit this SQL injection remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary SQL queries, potentially leading to unauthorized data extraction, modification, or deletion within the application's database, as well as possible denial of service through database disruption.

Mitigation details and advisories are referenced in sources including the official Jizhicms site at http://jizhicms.cn, a GitHub Gist at https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c, and the Cherry-toto/jizhicms GitHub repository (https://github.com/Cherry-toto/jizhicms), particularly issue #105 (https://github.com/Cherry-toto/jizhicms/issues/105). Security practitioners should review these for patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated SQL injection in public-facing CMS enables exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70397Same product: Jizhicms Jizhicms
CVE-2026-3292Same product: Jizhicms Jizhicms
CVE-2025-50228Same product: Jizhicms Jizhicms
CVE-2020-37117Same product: Jizhicms Jizhicms
CVE-2025-25784Same product: Jizhicms Jizhicms
CVE-2025-25785Same product: Jizhicms Jizhicms
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

jizhicms
jizhicms
2.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection exploitation by enforcing input validation and error handling in the product editing module.

prevent

Requires timely remediation of the specific SQL injection flaw in Jizhicms v2.5.4 through patching or code correction.

detect

Enables vulnerability scanning to identify and prioritize the SQL injection vulnerability in the application.

References