CVE-2020-37117

HIGH

jizhiCMS 1.6.7 - File Download

Title source: llm

Description

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.

Exploits (1)

exploitdb WORKING POC

by jizhicms · textwebappsphp

https://www.exploit-db.com/exploits/48361

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48361

[Various Sources] https://www.jizhicms.cn/

[Third Party Advisory] https://www.vulncheck.com/advisories/jizhicms-arbitrary-file-download

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

jizhicms/jizhicms 1.6.7

Published Feb 05, 2026

Tracked Since Feb 18, 2026