MEDIUM 6.3

CVE-2026-10203: SQL Injection in OFCMS 1.1.3 JSON Query Interface

A SQL injection vulnerability exists in OFCMS 1.1.3 within the Query function of the SystemParamController component. The flaw allows authenticated attackers to inject malicious SQL commands through the JSON Query Interface, potentially compromising database integrity and confidentiality. Public exploit code is available, increasing active exploitation risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10203 is a SQL injection vulnerability (CWE-89, CWE-74) in OFCMS 1.1.3's JSON Query Interface. The vulnerable code path traverses through \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java, specifically in the Query function. The vulnerability stems from insufficient input validation on query parameters, permitting attackers to craft malicious SQL that the application executes directly against the backend database. The attack requires valid authentication (CVSS vector PR:L) but no user interaction.

Business impact

Exploitation enables unauthorized database access, data exfiltration, and potential data modification. Attackers with valid credentials can query or manipulate sensitive information stored in the CMS database, including user data, configuration parameters, and potentially customer records. While the severity is moderate, the presence of public exploit code and lack of vendor response significantly elevate operational risk for organizations running OFCMS 1.1.3 in production.

Affected systems

OFCMS version 1.1.3 is confirmed vulnerable. Organizations running this version with accessible admin interfaces face direct risk. The vulnerability requires network access to the admin panel and valid authentication credentials, limiting but not eliminating the attack surface.

Exploitability

Public exploits are available, reducing the barrier to weaponization. Exploitation requires valid admin or authenticated user credentials, making this suitable for lateral movement scenarios or attacks from compromised internal accounts. The CVSS score of 6.3 (MEDIUM) reflects the authentication prerequisite; however, the presence of public tooling and lack of vendor acknowledgment warrant elevated practical concern.

Remediation

Upgrade OFCMS to a patched version once available from the vendor. In the interim, enforce strict access controls on the admin panel, restrict network access to the \ofcms-admin interface via firewall or VPN, and monitor database query logs for anomalous SQL patterns. Verify the vendor advisory for patch availability and recommended upgrade paths.

Patch guidance

Monitor OFCMS project channels and vendor advisories for an official patch release. As of the vulnerability publication date (2026-06-01) and last modification (2026-06-17), no patch version has been officially released. Contact the OFCMS vendor directly to confirm patching timelines. Test any patch in a non-production environment before deployment.

Detection guidance

Monitor database query logs for evidence of UNION-based, time-based, or boolean-based SQL injection attempts originating from the admin interface. Look for encoded SQL keywords, unusual query patterns, or repeated failed/successful query attempts. Web application firewalls should be configured to detect and block common SQL injection payloads in the Query parameter. Audit admin account usage and session logs for unauthorized or suspicious authentication patterns.

Why prioritize this

Although classified MEDIUM severity, this vulnerability merits prompt attention due to the combination of public exploit availability, vendor non-responsiveness, and the insider-threat or lateral-movement risk posed by authenticated attack scenarios. Organizations should prioritize patching once available, particularly for internet-facing or multi-tenant OFCMS deployments.

Risk score, explained

CVSS 6.3 reflects the requirement for valid authentication (PR:L), network accessibility (AV:N), and low complexity (AC:L), with limited scope and combined confidentiality, integrity, and availability impact (C:L/I:L/A:L). However, the practical risk is amplified by public exploit availability and the lack of vendor response, warranting monitoring and proactive remediation planning beyond the base score alone.

Frequently asked questions

Does this vulnerability affect OFCMS versions other than 1.1.3?

The vulnerability is confirmed in OFCMS 1.1.3. Verify with the vendor whether earlier or later versions are affected. Do not assume safety without explicit confirmation.

Can this vulnerability be exploited without valid credentials?

No. The CVSS vector includes PR:L, indicating that valid authentication credentials are required. This limits exposure to users with legitimate admin or application access.

Is there an official patch available?

As of the last update (2026-06-17), the vendor has not released a patch despite early notification. Check the official OFCMS project repository and vendor security advisories for status updates.

What is the recommended immediate action if we run OFCMS 1.1.3?

Restrict network access to the admin interface, enforce strong authentication, monitor database logs, and maintain readiness to patch immediately upon vendor release. Do not delay upgrade planning.

This analysis is provided for informational purposes and reflects information current as of 2026-06-17. Patch availability and vendor response may change; consult official OFCMS project channels and vendor advisories for the latest status. SEC.co does not provide legal advice or liability guarantees. Organizations should conduct independent risk assessments and implement controls appropriate to their environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).