CVE-2020-37117 HIGH

CVE-2020-37117: jizhiCMS 1.6.7 - Arbitrary File Download

Vendor Jizhicms
Product jizhiCMS
Weakness CWE-434 · Unrestricted file upload
Published February 5, 2026
Last update March 5, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads.

Key dates

02Disclosure timeline

February 5, 2026 CVE published
March 5, 2026 Record updated