LOW 3.5

CVE-2026-10567: Stored XSS in 1Panel-dev CordysCRM Versions Up to 1.4.1

A stored cross-site scripting (XSS) vulnerability exists in 1Panel-dev CordysCRM versions up to 1.4.1. An authenticated attacker can inject malicious JavaScript into the Description field of the ModuleFormController, which will execute in the browsers of other users who view the affected module form. The vulnerability requires user interaction (viewing the crafted form) to trigger, and does not grant the attacker direct access to sensitive data or system functions. Upgrading to version 1.7.0 resolves the issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the ModuleFormService.java component's Save function, specifically in how it processes the Description parameter without adequate input sanitization or output encoding. The CWE-79 classification confirms stored XSS behavior; the secondary CWE-94 designation suggests potential code injection patterns in the broader codebase. The attack surface is restricted to authenticated users with the ability to modify module forms, but the stored nature of the XSS means the payload persists and affects all subsequent viewers. The CVSS 3.1 score of 3.5 reflects the requirement for authentication and user interaction, combined with impact limited to integrity rather than confidentiality or availability.

Business impact

This vulnerability poses a moderate insider-risk and compliance concern. An authenticated user—whether a legitimate employee or a compromised account—can deface forms, capture session tokens, redirect users to phishing sites, or perform actions on behalf of viewers. In multi-tenant or customer-facing CRM deployments, stored XSS can damage trust and create liability if customer data is accessed through the injected script. Organizations relying on CordysCRM for customer relationship management should prioritize patching to avoid potential data leakage or reputational harm from form tampering.

Affected systems

1Panel-dev CordysCRM versions 1.4.1 and earlier are vulnerable. Any deployment using the ModuleFormController component with an active user base that views or edits module forms is at risk. Systems on unsupported or custom-patched versions should verify their build against commit c87682afa8df79853299f75489c9d333f7bc5fce to confirm whether the fix is present.

Exploitability

The vulnerability has been publicly disclosed, increasing the likelihood of exploitation by threat actors. However, successful exploitation requires either a legitimate user account or credential compromise, and the attacker cannot trigger the payload directly—a victim must view the malicious form. The straightforward nature of XSS injection (injecting script tags into a text field) means skilled attackers with brief access to an account can quickly craft and deploy attacks. Organizations with weak access controls, shared credentials, or high user counts face elevated risk.

Remediation

Upgrade 1Panel-dev CordysCRM to version 1.7.0 or later. If immediate patching is not feasible, implement compensating controls: restrict edit permissions on module forms to a minimal set of trusted administrators, audit form modification logs for suspicious Description entries, and educate users not to open or interact with unfamiliar or unexpected form content. Additionally, consider deploying a Web Application Firewall (WAF) rule to detect and block common XSS patterns in the Description parameter as a temporary measure.

Patch guidance

Download and deploy 1Panel-dev CordysCRM version 1.7.0 from the official vendor repository. The patch commit c87682afa8df79853299f75489c9d333f7bc5fce introduces input validation and output encoding for the Description field. Test the upgrade in a staging environment to verify backward compatibility with existing module forms before rolling out to production. Monitor application logs during and after the upgrade for any anomalies.

Detection guidance

Scan deployed instances to confirm their version number; any version up to and including 1.4.1 is vulnerable. Examine recent module form modifications using application audit logs—look for Description entries containing HTML tags, JavaScript keywords (e.g., 'onload', 'onerror'), or URL schemes (e.g., 'javascript:'). Use endpoint detection and response (EDR) or SIEM tools to correlate suspicious form edits with unusual user session activity or browser-based data exfiltration. Conduct penetration testing of the ModuleFormController component in a lab environment to validate your detection rules.

Why prioritize this

Despite the low CVSS score, prioritize patching based on the public disclosure status and the authenticated-user attack surface in your environment. Organizations with high volumes of user accounts, frequent form modifications, or contractor/vendor access should elevate this to medium priority. If CordysCRM is internet-facing or part of a customer portal, treat as high priority due to the reputational and liability implications of stored XSS.

Risk score, explained

The CVSS 3.1 score of 3.5 (LOW) reflects the authentication requirement (PR:L), the necessity for user interaction (UI:R), and the integrity-only impact (I:L with no confidentiality or availability loss). However, this score does not account for the stored nature of the XSS, which amplifies real-world impact by affecting multiple users. Organizations should supplement CVSS with risk assessments that factor in user count, data sensitivity, and threat actor interest in their specific CRM deployment.

Frequently asked questions

Can this vulnerability be exploited without a valid user account?

No. The vulnerability requires authentication (an active CordysCRM user login) to access the ModuleFormController and inject malicious code into the Description field. However, in environments with weak password policies, shared credentials, or credential reuse, attackers may acquire valid credentials more easily than would otherwise be expected.

Does upgrading to version 1.7.0 require downtime or database migration?

Verify the vendor's release notes for version 1.7.0 to confirm upgrade requirements. Generally, patch releases prioritize backward compatibility, but your specific configuration may warrant testing in a staging environment first. Consult the official 1Panel-dev or CordysCRM documentation for detailed upgrade procedures.

Can a Web Application Firewall (WAF) block this attack if we cannot patch immediately?

A WAF can detect and block many XSS payloads if configured with rules targeting the Description parameter; however, WAF rules are often bypassed by encoded or obfuscated payloads. WAF protection should be treated as a temporary, compensating control, not a replacement for patching. Prioritize the upgrade to version 1.7.0.

How can we determine if this vulnerability has been exploited in our environment?

Review application audit logs for modifications to module forms, especially those containing HTML or JavaScript in the Description field. Cross-reference with user login activity to identify suspicious access patterns. Conduct a security audit of stored form data, and consider deploying web traffic monitoring to detect browser-based exfiltration attempts linked to form views.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Organizations are responsible for verifying all patch version numbers, affected product versions, and upgrade procedures against official vendor advisories and their own environment configurations. SEC.co does not assume liability for misapplication of remediation guidance or for vulnerabilities that may emerge in subsequent software versions. Always test patches in a staging environment before deploying to production. This vulnerability assessment does not constitute professional security advice tailored to your specific organization; consult with qualified security professionals for implementation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).