CVE-2025-70397
Published: 17 February 2026
Summary
CVE-2025-70397 is a high-severity SQL Injection (CWE-89) vulnerability in Jizhicms Jizhicms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-70397 is a SQL injection vulnerability (CWE-89) in jizhicms version 2.5.6, published on 2026-02-17. The issue affects the Article/deleteAll and Extmolds/deleteAll endpoints, where the 'data' parameter fails to properly sanitize user input, allowing injection of malicious SQL queries. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant data compromise.
Attackers with high privileges, such as authenticated administrators, can exploit this over the network with low complexity and no user interaction required. By crafting payloads in the 'data' parameter, they can execute arbitrary SQL commands, leading to high-impact outcomes: unauthorized access to sensitive data (confidentiality), modification or deletion of database contents (integrity), and disruption of service (availability).
Advisories and further details are available at http://jizhicms.com and https://www.23882.me/index.php/2026/02/15/jizhicms-%e5%90%8e%e5%8f%b0%e5%ad%98%e5%9c%a8sql%e6%b3%a8%e5%85%a5/. Security practitioners should consult these for vendor-recommended patches or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207861
Vulnerability details
jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in publicly accessible CMS admin endpoints directly enables T1190 (Exploit Public-Facing Application) for arbitrary SQL execution with high impact on C/I/A.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'data' parameter before it reaches SQL queries in Article/deleteAll and Extmolds/deleteAll, blocking the CWE-89 injection.
Mandates timely remediation of the identified flaw in jizhicms 2.5.6 so the unsanitized input path is removed or corrected.
Restricts the high-privilege accounts (PR:H) that can reach the vulnerable endpoints, reducing the population able to supply malicious 'data' payloads.