MEDIUM 6.3

CVE-2026-10204: SQL Injection in OFCMS 1.1.3 JSON Query Interface

A SQL injection vulnerability has been discovered in OFCMS version 1.1.3, specifically in the JSON Query Interface of the user management controller. An authenticated attacker can submit specially crafted queries to execute arbitrary SQL commands against the application's database. This could allow them to read, modify, or delete sensitive data. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, but exploit code has been publicly released, increasing the practical risk of attacks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10204 is a SQL injection flaw (CWE-89, CWE-74) residing in the Query function of SysUserController.java within OFCMS 1.1.3's JSON Query Interface component. The vulnerability stems from insufficient input validation on user-supplied parameters passed to database queries. An authenticated attacker with network access can craft malicious JSON payloads to inject SQL commands, bypassing query constraints and accessing or manipulating the underlying database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects the network-exploitable nature, low attack complexity, and requirement for valid credentials; the impact is limited to the application's security domain.

Business impact

Exploitation enables data exfiltration, unauthorized modification of user records or configuration settings, and potential denial of service through resource-intensive queries. For organizations running OFCMS as a content or user management system, a successful attack could compromise customer data, disrupt service availability, or enable privilege escalation if database access permits lateral movement. The public availability of exploit code substantially elevates operational risk and likelihood of opportunistic attacks.

Affected systems

OFCMS version 1.1.3 is confirmed vulnerable. Earlier or later versions have not been explicitly assessed in the available advisory data; verify the affected version range through the official OFCMS project advisories. Systems with network-exposed OFCMS instances and active user authentication are at highest risk. Air-gapped or internal deployments with restricted user access present lower immediate exposure.

Exploitability

Exploitability is elevated. The attack requires valid authentication credentials, which limits the attack surface to known or compromised user accounts; however, the low attack complexity and network accessibility make it practical for insiders or attackers who have obtained user credentials through other means. Public exploit code is available, removing the requirement for attackers to develop their own payloads. No user interaction is needed once the attacker is authenticated.

Remediation

Immediately update OFCMS to a patched version released by the project (verify the specific version against official OFCMS advisories). If an update is not yet available, implement network-level access controls to restrict JSON Query Interface endpoints to trusted IP ranges, disable the Query function if unused, and enforce principle of least privilege on database accounts used by the application. Review access logs for suspicious query patterns. Consider using a Web Application Firewall (WAF) to detect and block SQL injection attempts.

Patch guidance

Consult the official OFCMS project repository and security advisories for patched release versions. Apply patches as soon as they become available. Test patches in a non-production environment first to ensure compatibility with your deployment. If the vendor has not yet released a patch despite early notification, interim mitigations (WAF rules, network segmentation, credential rotation) should be applied while awaiting a fix.

Detection guidance

Monitor database query logs for anomalous SQL patterns, such as UNION SELECT, comment sequences (-- or /**/), or time-based conditional statements in queries originating from the JSON Query Interface. Alert on authentication failures followed by repeated Query function calls from the same user account. Implement intrusion detection signatures targeting SQL injection payloads in HTTP request bodies sent to the vulnerable endpoint. Log all JSON payloads submitted to the Query function for forensic analysis.

Why prioritize this

Although the CVSS score is moderate (6.3) and the vulnerability requires authentication, the combination of public exploit availability, network accessibility, and potential for sensitive data exposure warrants prompt patching. Authenticated SQL injection in user management systems poses particular risk because database access may extend to other systems or sensitive records. Organizations should prioritize this within 30 days of patch availability.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects network accessibility and low attack complexity, offset by the requirement for prior authentication and limited scope of impact. The score does not account for the amplified risk from public exploit code; real-world risk should be assessed as elevated relative to the base score in environments where user credentials are weak, shared, or previously compromised.

Frequently asked questions

Do I need to be an administrator to exploit this vulnerability?

No. The CVSS vector indicates PR:L (low privilege required), meaning any authenticated user of the OFCMS system can potentially exploit this flaw. You do not need admin credentials, only valid user login.

What if we do not use the JSON Query Interface feature?

If your OFCMS deployment does not expose or utilize the Query function in SysUserController, your exposure is reduced. However, we recommend confirming through code review or configuration audit that the endpoint is truly disabled rather than relying on non-use alone.

Is this vulnerability on the CISA KEV list?

No, CVE-2026-10204 is not currently listed on CISA's Known Exploited Vulnerabilities catalog. However, public exploit code has been released, so it may be added in the future.

Can a WAF protect us before we patch?

Yes, a WAF configured with SQL injection detection rules can provide interim protection by identifying and blocking malicious payloads in JSON requests. However, WAF rules are imperfect and should not be considered a permanent substitute for patching.

This analysis is based on the public CVE record and available vulnerability data as of the publication date. Patch availability and specific remediation steps should be verified against the official OFCMS project advisories and your vendor's support channels. Organizations are responsible for assessing their own risk tolerance and testing patches before production deployment. SEC.co does not provide legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).