Jfinal CMS is a powerful information consulting website developed by java, using the simple and powerful JFinal as a web framework, template engine with beetl, database with mysql, front-end bootstrap framework. jfinal CMS version 5.1 has a SQL injection vulnerability, the vulnerability originates from the /admin/ The folder path is directly spliced from the getOrderby function, an attacker can use this vulnerability to conduct SQL injection attacks.