Primary

Context

jizhiCMS File Download Vulnerability in Admin Plugins Update Endpoint

Vulnerability

A file download vulnerability has been identified in jizhiCMS version 1.6.7. This vulnerability exists in the admin plugins update endpoint, allowing authenticated administrators to download arbitrary files. Exploitation involves sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the admin.php/Plugins/update.html endpoint. Include the action parameter set to 'start-download', along with a malicious filepath and download_url. This will initiate the download of the specified file from the provided URL.

Added: Feb 5, 2026, 5:57 PM

Updated: Feb 5, 2026, 9:36 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

6.3

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

6.3

remediation

0.0

relevance

2.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jizhiCMS File Download Vulnerability in Admin Plugins Update Endpoint

Vulnerability

Impact

Reproduction

Affected Products

jizhiCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating