CVE-2025-50229

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50229 is a critical-severity SQL Injection (CWE-89) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection exploitation by enforcing input validation and error handling in the product editing module.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific SQL injection flaw in Jizhicms v2.5.4 through patching or code correction.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify and prioritize the SQL injection vulnerability in the application.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated SQL injection in public-facing CMS enables exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

Deeper analysisAI

Jizhicms v2.5.4 contains a SQL injection vulnerability (CWE-89) in its product editing module, as identified by CVE-2025-50229. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability. The vulnerability affects the open-source Jizhicms content management system, specifically version 2.5.4.

An unauthenticated attacker with network access can exploit this SQL injection remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary SQL queries, potentially leading to unauthorized data extraction, modification, or deletion within the application's database, as well as possible denial of service through database disruption.

Mitigation details and advisories are referenced in sources including the official Jizhicms site at http://jizhicms.cn, a GitHub Gist at https://gist.github.com/4iFei/14ad89c3b44348dd575bf5ae0ed5a19c, and the Cherry-toto/jizhicms GitHub repository (https://github.com/Cherry-toto/jizhicms), particularly issue #105 (https://github.com/Cherry-toto/jizhicms/issues/105). Security practitioners should review these for patches or workarounds.