CVE-2026-10514: CordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
A cross-site scripting (XSS) vulnerability exists in CordysCRM versions up to 1.6.2. The flaw is located in a request parameter handling component and allows attackers with administrative privileges to inject malicious scripts that execute in users' browsers. While public exploit code is available, the attack requires both high-level credentials and user interaction (such as clicking a malicious link), significantly limiting real-world risk. Upgrading to version 1.7.0 resolves the issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.
9 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the RequestParamTrimConfig.java file within CordysCRM's backend framework, where user-supplied input is insufficiently sanitized before being reflected back to the client. This enables stored or reflected XSS attacks (CWE-79). The attack vector also suggests code execution concerns (CWE-94), though the primary manifestation is script injection. Exploitation requires network access and authentication at the administrator level, combined with successful social engineering to induce a privileged user to visit a crafted URL or interact with injected content.
Business impact
The business risk is limited by the attack prerequisites. An attacker would need valid administrative credentials and the ability to trick a high-privilege user into triggering the vulnerability. Successful exploitation could lead to session hijacking, credential theft, or defacement of the CordysCRM interface visible to that user. For organizations with strict access controls and security awareness training, the practical risk is low. However, if administrative accounts are shared, poorly managed, or if the organization operates in a high-social-engineering environment, the risk profile increases.
Affected systems
CordysCRM versions 1.6.2 and earlier are affected. The vulnerability has been patched in version 1.7.0. Organizations running on-premises or cloud instances of CordysCRM should verify their current version against the 1.7.0 release baseline. Since no vendor product metadata was provided in the source data, confirm your specific deployment and any custom extensions that may also require updates.
Exploitability
While exploit code is publicly disclosed, exploitability is constrained by three factors: (1) network access requirement, (2) administrative authentication requirement, and (3) user interaction requirement. These factors collectively result in a CVSS score of 2.4 (LOW severity). An attacker cannot exploit this remotely without valid credentials and cannot achieve exploitation without victim action. The public disclosure of proof-of-concept code does increase the likelihood of opportunistic attacks against organizations with poor credential hygiene, but does not materially change the technical barriers to exploitation.
Remediation
Upgrade CordysCRM to version 1.7.0 or later. The patch is identified by commit hash c87682afa8df79853299f75489c9d333f7bc5fce. Before upgrading, review release notes and test in a non-production environment to ensure compatibility with any customizations or integrations. Implement defense-in-depth measures: enforce strong password policies for administrative accounts, limit administrative access to trusted networks or VPN, enable multi-factor authentication, and conduct security awareness training on phishing and social engineering.
Patch guidance
Obtain version 1.7.0 through the official CordysCRM release channel. Verify the patch commit hash (c87682afa8df79853299f75489c9d333f7bc5fce) in your downloaded package. Test thoroughly in a staging environment before production deployment. If you cannot upgrade immediately, consider temporary mitigations: restrict administrative user access to specific IP ranges, disable unused administrative accounts, and monitor access logs for suspicious activity from admin-level sessions.
Detection guidance
Search access logs for anomalous requests to the RequestParamTrimConfig or related parameter-handling endpoints, particularly from administrative users. Monitor for JavaScript payloads in request parameters or unusual characters (e.g., script tags, event handlers) in form submissions. Use web application firewalls (WAF) to block requests containing common XSS patterns. Inspect DOM-based content changes or unexpected redirects in browser sessions following administrative logins. Log analysis should focus on requests that include encoded or obfuscated script content targeting the affected framework component.
Why prioritize this
Despite public exploit availability, this vulnerability merits moderate-to-low priority due to its strict exploitation prerequisites. Prioritize patching if: (1) your organization has high-risk user communities (high-volume phishing targets, geopolitical significance), (2) administrative credentials are known to be compromised or at elevated risk, or (3) you operate in a defense or critical infrastructure sector where supply-chain attacks are a concern. Standard commercial environments should schedule patching during normal maintenance windows but need not treat this as critical or emergency.
Risk score, explained
The CVSS 3.1 score of 2.4 reflects low severity because the attack requires: (A) network access only, but (B) HIGH privilege level (Admin authentication), (C) user interaction (victim must perform action), and (D) impact is limited to integrity (script injection visible to the user, not confidentiality breach or system availability). The score would be significantly higher if exploitation were unauthenticated or didn't require user interaction. The public exploit disclosure does not elevate the intrinsic CVSS score but does increase the likelihood of exploitation attempts.
Frequently asked questions
Can this vulnerability be exploited without administrative credentials?
No. The vulnerability requires valid administrative authentication to the CordysCRM application. An unauthenticated attacker cannot exploit it. This significantly limits the attack surface compared to unauthenticated XSS vulnerabilities.
What is the difference between this XSS and other high-severity XSS vulnerabilities?
This vulnerability requires both high-privilege access and user interaction. Many critical XSS vulnerabilities require neither. The combination of these controls—reinforced by access management and user awareness—keeps this at LOW severity despite being publicly exploited.
Do I need to patch immediately if I have strong access controls?
Not necessarily. If your organization enforces MFA on administrative accounts, restricts admin access to VPNs or trusted networks, and monitors for anomalous logins, you can patch this during normal maintenance cycles. However, if you suspect any admin account compromise, patch urgently and audit account activity.
Will upgrading to 1.7.0 break my existing configurations?
The source data does not specify breaking changes in version 1.7.0. Before upgrading production systems, always review the vendor's release notes and test in a staging environment with your specific configurations and customizations.
This analysis is based on the CVE record as of the publication and modification dates provided (2026-06-02 to 2026-06-17). Patch version numbers and commit hashes are derived from the source CVE data; verify them against the official CordysCRM vendor advisory before deploying. Organizations should conduct their own risk assessment based on their specific deployment, configuration, user population, and threat model. This document does not constitute professional security advice; consult your security team and vendor support for tailored guidance. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module