Jfinal CMS v5.1.0 exists to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.
jflyfox jfinal cms 5.1.0