MEDIUM 6.3

CVE-2026-10193: SQL Injection in OFCMS ComnController – Authentication Required

OFCMS versions up to 1.1.3 contain a SQL injection vulnerability in the ComnController component. An authenticated attacker can manipulate the 'system.user.query' parameter to inject malicious SQL commands, potentially accessing, modifying, or deleting database records. The vulnerability has been publicly disclosed and exploit code is available, making active exploitation a realistic threat.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument system.user.query results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10193 is a SQL injection flaw (CWE-89, CWE-74) located in the Query function of ComnController.java within the OFCMS administration module. The vulnerability exists because user-supplied input from the 'system.user.query' argument is not properly sanitized before being passed to SQL queries. Attack vectors are network-accessible, require valid credentials, and do not depend on user interaction. The CVSS 3.1 score is 6.3 (MEDIUM), reflecting the need for authentication and limited scope of impact.

Business impact

Organizations running OFCMS as a content management system face risk of unauthorized database access and modification. An authenticated account holder (or compromised credential) could extract sensitive data, alter content or user records, or corrupt database integrity. The public availability of exploit code increases the likelihood of opportunistic attacks, particularly in environments where OFCMS administration credentials are shared or weakly protected.

Affected systems

OFCMS versions up to and including 1.1.3 are affected. The vulnerability resides in the administration controller and is accessible only after authentication, meaning it impacts users with access to the OFCMS admin interface or attackers who have obtained valid admin or privileged user credentials.

Exploitability

The flaw is readily exploitable given valid authentication. Exploit code has been released publicly, lowering the technical barrier to attack. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates the attack is straightforward once credentials are obtained—no special network conditions or user action is required beyond the initial authentication step. Organizations with weak credential hygiene or exposed admin panels face elevated risk.

Remediation

Upgrade to a patched version of OFCMS beyond 1.1.3 once available from the vendor. Verify the release notes for explicit SQL injection remediation. Until patches are deployed, restrict access to the OFCMS admin interface via network segmentation, strong authentication controls (multi-factor authentication), and regular credential rotation to limit the window of exposure for authenticated attackers.

Patch guidance

Monitor official OFCMS release channels and vendor advisories for a security update that addresses SQL injection in the Query function. Verify patch applicability to your version before deployment. Apply patches to non-production environments first to validate compatibility. The vulnerability notification indicates the vendor has been contacted but has not yet responded; follow up with the maintainers if no update is issued within a reasonable timeframe or consider alternative CMS solutions if the project becomes inactive.

Detection guidance

Monitor database query logs and application logs for suspicious SQL patterns in ComnController Query function calls, particularly those containing UNION, SELECT, or comment sequences (--) in the 'system.user.query' parameter. Implement database activity monitoring (DAM) to detect anomalous queries. Intrusion detection systems should flag attempts to manipulate that parameter with SQL metacharacters. Review admin interface access logs for unusual activity or credential usage patterns.

Why prioritize this

Although scored MEDIUM severity, prioritize this vulnerability for rapid patching because: (1) exploit code is publicly available and reduces attack complexity; (2) SQL injection can lead to full database compromise; (3) it affects administrative functions with high-value data; (4) the vendor has not yet responded, suggesting delays in patching; (5) authentication requirement only moderately reduces risk if admin credentials are shared, weak, or have been compromised elsewhere.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects the combination of network accessibility (AV:N) and low attack complexity (AC:L), offset by the authentication requirement (PR:L) and impact limited to confidentiality, integrity, and availability within a single system (S:U, C:L/I:L/A:L). This scoring is reasonable for a SQL injection requiring valid credentials; however, real-world risk may be elevated if credentials are easily obtainable or if OFCMS instances are exposed to untrusted internal networks.

Frequently asked questions

What does 'system.user.query' do, and why is it vulnerable?

'system.user.query' is a parameter in the ComnController that processes database queries related to user management. It is vulnerable because the application does not properly escape or validate the input before constructing SQL statements, allowing an attacker to inject arbitrary SQL code that the database will execute with the application's privileges.

Do I need valid OFCMS admin credentials to exploit this, or can an unauthenticated attacker do it?

Valid authentication is required. An attacker needs to log in as an admin or privileged user to access the vulnerable Query function. However, if credentials are compromised, shared, or weak, this barrier is easily overcome. This is why credential security and admin panel access control are critical.

What should I do if I cannot upgrade immediately?

Implement strong network controls: restrict OFCMS admin access to trusted IP ranges, require multi-factor authentication, rotate admin credentials regularly, and enable comprehensive logging. Consider taking the admin interface offline temporarily if you cannot patch quickly and SQL injection is actively being exploited in your region.

Is this affecting the CISA Known Exploited Vulnerabilities (KEV) catalog?

No, CVE-2026-10193 is not currently on the CISA KEV list, though public exploits exist. This does not diminish the threat—it may reflect recency of the disclosure or limited reported attacks. Do not rely on KEV status alone to prioritize patching.

This analysis is based on publicly available CVE data and vendor disclosures current as of the publication date. Patch version numbers and exact remediation steps should be verified against official OFCMS advisories and release notes. The vendor had not responded to the initial report at time of analysis; contact OFCMS maintainers directly for the latest security status. Organizations must validate all patches and security controls in their own environment before production deployment. This document does not constitute professional security advice and should be supplemented by internal risk assessment and security governance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).