CVE-2020-37117

HIGH

jizhicms 1.6.7 - Authenticated Arbitrary File Download via Admin Plugins Update Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37117. PoCs published by jizhicms.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file download vulnerability in jizhi CMS 1.6.7. It leverages the plugin update functionality to download and extract a malicious file from a remote server.

Description

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.

Exploits (1)

exploitdb WORKING POC
by jizhicms · textwebappsphp
https://www.exploit-db.com/exploits/48361

This exploit demonstrates an arbitrary file download vulnerability in jizhi CMS 1.6.7. It leverages the plugin update functionality to download and extract a malicious file from a remote server.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: jizhi CMS 1.6.7
Auth required
Prerequisites: Access to admin panel · Valid session cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48361
Various Sources product
https://www.jizhicms.cn/

Scores

CVSS v3 8.8
EPSS 0.0069
EPSS Percentile 48.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
jizhicms/jizhicms 1.6.7
Published Feb 05, 2026
Tracked Since Feb 18, 2026