SQL Injection Vulnerability in JizhiCMS ≤ 2.5.6 Batch API CVE-ID: CVE-2026-3292 BUG Author: Ops Affected Version: JizhiCMS ≤ 2.5.6 Vendor: 极致CMS Software: Cherry-toto/JizhiCMS Vulnerability Files: Description: 1. ORM Supports Direct Concatenation of String Conditions (Root Cause): - The file directly concatenates clauses in multiple places when is a string. - This can be exploited by sending a crafted request to the login endpoint with malicious SQL code. 2. Filtering Is Insufficient: - Parameter filtering in primarily uses + for processing. - However, falls into an unquoted numeric context, where attackers can construct injection snippets that do not require quotation marks. - Most of these interfaces are for delete/update operations, and their verification is destructive. Proof of Concept (POC): 1. Log in to obtain the admin cookie: 2. Batch interfaces are called. As long as there is a batch function, there will be an SQL injection vulnerability. - Sample data packets ( ): - Sample request to change article type: - Sample request to change product type: - Sample request to check message: 3. Use sqlmap for automated testing: 4. If successful, it will be displayed as follows: