CVE-2026-10202: OFCMS 1.1.3 SQL Injection in SystemDictController
A SQL injection vulnerability exists in OFCMS version 1.1.3 affecting the JSON Query Interface within the SystemDictController component. An authenticated attacker can send specially crafted queries to manipulate SQL commands executed by the application, potentially reading, modifying, or deleting database records. The vulnerability requires valid user credentials but can be exploited over the network without user interaction. Exploit code is publicly available, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10202 is a SQL injection flaw in the Query function of SystemDictController.java (located at \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java) within OFCMS 1.1.3's JSON Query Interface. The vulnerability stems from insufficient input validation on query parameters, allowing authenticated users to inject malicious SQL syntax. The flaw maps to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection), indicating that user-supplied input is passed unsanitized to database queries. With a CVSS 3.1 score of 6.3 (Medium severity), the attack requires network access and valid authentication but no user interaction. The low attack complexity suggests straightforward exploitation once credentials are obtained.
Business impact
Organizations running OFCMS 1.1.3 face data confidentiality and integrity risks. Attackers with valid accounts—whether obtained through credential compromise, insider threats, or shared administrative access—can extract sensitive database contents, modify records, or execute unauthorized transactions. In multi-tenant or shared hosting environments, this could enable lateral movement or data exfiltration affecting multiple business units. The public availability of exploit code accelerates the timeline for opportunistic attacks, particularly against organizations with slower patching cycles or weak credential governance.
Affected systems
OFCMS version 1.1.3 is explicitly affected. The vulnerability resides in the administrative controller, suggesting that systems with exposed admin interfaces or those accessible to internal networks are at elevated risk. Organizations should audit deployments for this specific version and assess whether the SystemDictController endpoint is reachable from untrusted network segments. No patch version information is currently available from the vendor.
Exploitability
The attack is remotely exploitable by any authenticated user without requiring special privileges or user interaction. Public exploit code is already available, lowering the barrier to exploitation. However, the requirement for valid credentials provides a partial control layer—organizations with strong access management and monitored user accounts may detect exploitation attempts. The straightforward nature of SQL injection (AC:L in the CVSS vector) means that once an attacker gains credentials, successful exploitation is likely. In environments with weak password policies or credential reuse, risk increases substantially.
Remediation
Immediate action: Disable or restrict access to the OFCMS administrative interface if not actively required, particularly from untrusted networks. Implement network segmentation to limit admin access to trusted IP ranges. Enforce strong, unique credentials for all administrative accounts and enable multi-factor authentication if supported. Review recent admin activity logs for suspicious query patterns. Long-term: Upgrade OFCMS to a patched version when available (verify against the vendor advisory for the exact version addressing this issue). If the vendor has not yet released a patch, contact OFCMS support directly for guidance. Apply database-level mitigations such as read-only query restrictions or parameterized query enforcement if the application architecture permits.
Patch guidance
As of the last update, the OFCMS project was informed of this issue but has not publicly released a patch. Verify with the official OFCMS repository and vendor advisory for the latest patched version. When a patch becomes available, prioritize deployment for systems with internet-facing or multi-user administrative access. Test patches in a staging environment to ensure compatibility with your deployment, particularly if you have custom extensions or integrations. Document the patching timeline for compliance and audit purposes.
Detection guidance
Monitor database activity logs for unusual SQL syntax or multi-statement queries originating from the OFCMS application. Alert on failed SQL execution attempts or privilege escalation queries within the context of the SystemDictController endpoint. Implement Web Application Firewall (WAF) rules to detect common SQL injection patterns in query parameters. Review access logs for the admin controller endpoint (/ofcms-admin/system/dict or equivalent routing) to identify suspicious users or repeated query attempts. Correlate authentication logs with database query logs to detect compromised credentials being exploited. Enable query auditing at the database level to capture payloads and affected tables.
Why prioritize this
While the CVSS 3.1 score of 6.3 reflects a medium severity rating, several factors warrant elevated priority: (1) public exploit code significantly reduces time-to-exploitation, (2) SQL injection is a well-understood and powerful attack vector, (3) the administrative context suggests potential for high-impact data access, and (4) the vendor's lack of response suggests this may be a legacy or abandoned product. Organizations should treat this as high-priority for systems in production, medium-priority for isolated or development instances. The authentication requirement prevents it from being critical, but only if credential controls are strong.
Risk score, explained
The CVSS 3.1 score of 6.3 (Medium) reflects the balance between impact and exploitability. The score is driven down by the requirement for valid authentication (PR:L), but driven up by the low attack complexity (AC:L), network accessibility (AV:N), and impact on confidentiality, integrity, and availability (C:L, I:L, A:L). In organizations with robust credential management and network segmentation, the practical risk may be lower. In organizations with shared credentials, weak password policies, or internet-facing admin interfaces, the effective risk approaches 'High' despite the base score. Adjust your internal risk rating based on your deployment posture and threat model.
Frequently asked questions
Do I need valid login credentials to exploit this vulnerability?
Yes. The CVSS vector shows PR:L, meaning 'low privilege required.' You must authenticate to the OFCMS application to craft the malicious SQL query. However, this can be a compromised low-privilege account or shared credentials, not necessarily an administrator account.
What databases does OFCMS 1.1.3 support, and does the vulnerability affect all of them?
The CVE description does not specify the underlying database system. SQL injection techniques may vary slightly depending on whether OFCMS uses MySQL, PostgreSQL, SQL Server, or another backend. Verify your specific OFCMS configuration and apply database-specific input validation rules accordingly.
Is this vulnerability included in the CISA Known Exploited Vulnerabilities (KEV) catalog?
No, as of the publication date (June 1, 2026), this vulnerability is not listed on the KEV catalog. However, the public availability of exploit code means it could be added if exploitation attempts are documented in the wild.
Can I use a Web Application Firewall to protect against this without patching?
A WAF can help detect and block common SQL injection payloads, but it is not a reliable substitute for patching. Determined attackers can often craft payloads to bypass WAF rules. Use WAF rules as a temporary mitigation while you prepare to upgrade, but prioritize obtaining and deploying the patch.
This analysis is provided for informational purposes and reflects publicly disclosed information as of the publication date. CVSS scores, patch versions, and vendor statements are subject to change; verify against the official OFCMS advisory and vendor security documentation before making deployment decisions. Organizations should conduct their own risk assessment based on their specific deployment environment, network architecture, and threat model. This document does not constitute legal advice or a guarantee of security. Test all patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10209MEDIUMSQL Injection in Online Hospital Management System 1.0