CVE-2026-0588
Unknown Unknown - Not Provided
Cross-Site Scripting in Xinhu Rainrock RockOA API (rockfun.php

Publication date: 2026-01-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0588
EUVD
EUVD-2026-0861
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xinhu rainrock_rockoa to 2.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0588 is a cross-site scripting (XSS) vulnerability in Xinhu Rainrock RockOA up to version 2.7.1, specifically in the API component file rockfun.php. The vulnerability occurs because the 'callback' parameter is not properly sanitized before being included in the web page output. This allows an attacker to inject malicious JavaScript code remotely by manipulating the 'callback' argument, which can then execute in the victim's browser. The vulnerability requires user interaction to be exploited and bypasses the Same-Origin Policy, enabling arbitrary script execution. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to theft of sensitive information, such as session tokens or credentials, and can be used to perform attacks against administrators or other users. Because the attack can be initiated remotely and requires user interaction, it poses a risk of data compromise and unauthorized actions within the affected application. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable file rockfun.php in Xinhu Rainrock RockOA version up to 2.7.1 and testing the 'callback' parameter for improper handling. One method is to send a crafted HTTP request to the API endpoint with a malicious 'callback' parameter and observe if the response reflects the injected script. For example, you can use curl to test the vulnerability: curl -i "http://[target]/api.php?callback=<script>alert('xss_test')</script>". If the response includes the script tag without proper escaping, the system is vulnerable. Additionally, attackers may locate vulnerable targets using Google dorking with the query: inurl:rockfun.php. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing or upgrading the affected product or component, as no official vendor patch or countermeasure has been reported. As a temporary workaround, you can implement input validation and sanitization on the 'callback' parameter to prevent script injection. Restricting access to the vulnerable API endpoint and monitoring for suspicious requests may also help reduce risk until a proper fix is applied. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart