Wu Xiaoran

**Name of the Vulnerable Software and Affected Versions** Lvzhou CMS versions prior to commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) **Description** The software contains a SQL injection flaw due to unsanitized input. Specifically, the `title` parameter within the `com.wanli.lvzhoucms.service.ContentService#findPage` function is directly incorporated into a dynamic SQL query without proper sanitization or the use of prepared statements. This allows attackers to potentially read sensitive data from the database. The vulnerable parameter is `title`. **Recommendations** Update Lvzhou CMS to commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) or a later version.