CVE-2026-6978: SQL Injection in JiZhiCMS
CVE-2026-6978 is a medium severity SQL injection vulnerability in JiZhiCMS versions up to 2. 5. 6. It affects the htmlspecialchars_decode function in the /index. php/admins/Sys/addcache. html file, where manipulation of the sqls argument allows remote attackers to perform SQL injection. The vulnerability is publicly known and exploitable remotely. The vendor has not responded or provided any patch or mitigation guidance. No official fix is currently available.
AI Analysis
Technical Summary
This vulnerability in JiZhiCMS (up to version 2.5.6) arises from improper handling of the sqls argument in the htmlspecialchars_decode function located in /index.php/admins/Sys/addcache.html. An attacker can remotely exploit this flaw to inject SQL commands, potentially compromising the database. The CVSS 4.0 base score is 5.1, indicating medium severity with network attack vector, low complexity, and no user interaction required. The vendor has not issued any patch or advisory, and no remediation level is specified.
Potential Impact
Successful exploitation of this vulnerability allows remote attackers to perform SQL injection attacks against JiZhiCMS installations up to version 2.5.6. This can lead to unauthorized database queries, data leakage, or modification depending on the database privileges. Since the vulnerability is remotely exploitable without user interaction and the exploit is public, affected systems are at risk until mitigated.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should consider implementing application-level protections such as web application firewalls to detect and block SQL injection attempts targeting the affected endpoint. Monitoring and restricting access to the /index.php/admins/Sys/addcache.html resource may reduce exposure. Stay alert for any future vendor advisories or patches and apply them promptly once available.
CVE-2026-6978: SQL Injection in JiZhiCMS
Description
CVE-2026-6978 is a medium severity SQL injection vulnerability in JiZhiCMS versions up to 2. 5. 6. It affects the htmlspecialchars_decode function in the /index. php/admins/Sys/addcache. html file, where manipulation of the sqls argument allows remote attackers to perform SQL injection. The vulnerability is publicly known and exploitable remotely. The vendor has not responded or provided any patch or mitigation guidance. No official fix is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in JiZhiCMS (up to version 2.5.6) arises from improper handling of the sqls argument in the htmlspecialchars_decode function located in /index.php/admins/Sys/addcache.html. An attacker can remotely exploit this flaw to inject SQL commands, potentially compromising the database. The CVSS 4.0 base score is 5.1, indicating medium severity with network attack vector, low complexity, and no user interaction required. The vendor has not issued any patch or advisory, and no remediation level is specified.
Potential Impact
Successful exploitation of this vulnerability allows remote attackers to perform SQL injection attacks against JiZhiCMS installations up to version 2.5.6. This can lead to unauthorized database queries, data leakage, or modification depending on the database privileges. Since the vulnerability is remotely exploitable without user interaction and the exploit is public, affected systems are at risk until mitigated.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should consider implementing application-level protections such as web application firewalls to detect and block SQL injection attempts targeting the affected endpoint. Monitoring and restricting access to the /index.php/admins/Sys/addcache.html resource may reduce exposure. Stay alert for any future vendor advisories or patches and apply them promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-24T18:52:18.511Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ecae2c87115cfb685e0990
Added to database: 4/25/2026, 12:06:04 PM
Last enriched: 4/25/2026, 12:21:01 PM
Last updated: 4/25/2026, 1:44:14 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.