Plattform
php
Komponente
my_cve
Behoben in
5.0.1
A cross-site scripting (XSS) vulnerability has been discovered in JFinalCMS versions 5.0.0. This flaw resides within the /admin/admin/save API endpoint, allowing an attacker to inject malicious scripts into the application. Successful exploitation could lead to session hijacking or defacement. The vulnerability was publicly disclosed on 2026-02-09 and a fix is recommended.
The XSS vulnerability in JFinalCMS allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies. An attacker could use this to hijack user accounts, deface the website, or redirect users to malicious websites. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems with unpatched JFinalCMS installations.
The vulnerability details and exploit have been publicly disclosed, indicating a higher probability of exploitation. While no active campaigns have been confirmed, the availability of a proof-of-concept increases the risk. The CVE was published on 2026-02-09. The CVSS score is 2.4 (LOW).
Administrators and users of JFinalCMS 5.0.0 are at risk. Shared hosting environments that utilize JFinalCMS are particularly vulnerable due to the potential for cross-tenant exploitation. Systems with weak input validation or output encoding are also at increased risk.
• php / web:
grep -r "<script" /var/www/jfinalcms/admin/admin/save• generic web:
curl -I http://your-jfinalcms-site.com/admin/admin/save?param=<script>alert(1)</script>disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2200 is to upgrade to a patched version of JFinalCMS. Until an official patch is available, implement strict input validation and output encoding on the /admin/admin/save endpoint. This includes sanitizing all user-supplied data before it is displayed on the page. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update your CMS security configuration.
Aktualisieren Sie JFinalCMS auf eine Version nach 5.0.0, die die Cross-Site Scripting (XSS)-Schwachstelle behebt. Wenn keine Version verfügbar ist, wird empfohlen, einen Sicherheitspatch anzuwenden, der Benutzereingaben am Endpoint /admin/admin/save filtert oder maskiert, um die Injektion von bösartigem Code zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2200 is a cross-site scripting vulnerability in JFinalCMS 5.0.0 affecting the /admin/admin/save endpoint, allowing attackers to inject malicious scripts.
If you are running JFinalCMS version 5.0.0, you are potentially affected by this vulnerability. Upgrade as soon as possible.
Upgrade to a patched version of JFinalCMS. Until a patch is available, implement strict input validation and output encoding.
While no active campaigns have been confirmed, the public availability of the exploit increases the risk of exploitation.
Refer to the JFinalCMS official website or security mailing list for the latest advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.