5.0.1
A cross-site scripting (XSS) vulnerability has been discovered in JFinalCMS versions 5.0.0. This flaw resides within the /admin/admin/save API endpoint, allowing an attacker to inject malicious scripts into the application. Successful exploitation could lead to session hijacking or defacement. The vulnerability was publicly disclosed on 2026-02-09 and a fix is recommended.
The XSS vulnerability in JFinalCMS allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies. An attacker could use this to hijack user accounts, deface the website, or redirect users to malicious websites. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems with unpatched JFinalCMS installations.
The vulnerability details and exploit have been publicly disclosed, indicating a higher probability of exploitation. While no active campaigns have been confirmed, the availability of a proof-of-concept increases the risk. The CVE was published on 2026-02-09. The CVSS score is 2.4 (LOW).
Administrators and users of JFinalCMS 5.0.0 are at risk. Shared hosting environments that utilize JFinalCMS are particularly vulnerable due to the potential for cross-tenant exploitation. Systems with weak input validation or output encoding are also at increased risk.
• php / web:
grep -r "<script" /var/www/jfinalcms/admin/admin/save• generic web:
curl -I http://your-jfinalcms-site.com/admin/admin/save?param=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-2200 is to upgrade to a patched version of JFinalCMS. Until an official patch is available, implement strict input validation and output encoding on the /admin/admin/save endpoint. This includes sanitizing all user-supplied data before it is displayed on the page. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update your CMS security configuration.
将 JFinalCMS 更新到 5.0.0 之后的版本,以修复跨站脚本 (Cross-Site Scripting, XSS) 漏洞。如果尚无可用版本,建议应用安全补丁,以过滤或转义 /admin/admin/save 端点上的用户输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2200 is a cross-site scripting vulnerability in JFinalCMS 5.0.0 affecting the /admin/admin/save endpoint, allowing attackers to inject malicious scripts.
If you are running JFinalCMS version 5.0.0, you are potentially affected by this vulnerability. Upgrade as soon as possible.
Upgrade to a patched version of JFinalCMS. Until a patch is available, implement strict input validation and output encoding.
While no active campaigns have been confirmed, the public availability of the exploit increases the risk of exploitation.
Refer to the JFinalCMS official website or security mailing list for the latest advisory and patch information.