CVE-2026-0588
Cross-Site Scripting in Xinhu Rainrock RockOA API (rockfun.php
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xinhu | rainrock_rockoa | to 2.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0588 is a cross-site scripting (XSS) vulnerability in Xinhu Rainrock RockOA up to version 2.7.1, specifically in the API component file rockfun.php. The vulnerability occurs because the 'callback' parameter is not properly sanitized before being included in the web page output. This allows an attacker to inject malicious JavaScript code remotely by manipulating the 'callback' argument, which can then execute in the victim's browser. The vulnerability requires user interaction to be exploited and bypasses the Same-Origin Policy, enabling arbitrary script execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to theft of sensitive information, such as session tokens or credentials, and can be used to perform attacks against administrators or other users. Because the attack can be initiated remotely and requires user interaction, it poses a risk of data compromise and unauthorized actions within the affected application. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file rockfun.php in Xinhu Rainrock RockOA version up to 2.7.1 and testing the 'callback' parameter for improper handling. One method is to send a crafted HTTP request to the API endpoint with a malicious 'callback' parameter and observe if the response reflects the injected script. For example, you can use curl to test the vulnerability: curl -i "http://[target]/api.php?callback=<script>alert('xss_test')</script>". If the response includes the script tag without proper escaping, the system is vulnerable. Additionally, attackers may locate vulnerable targets using Google dorking with the query: inurl:rockfun.php. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing or upgrading the affected product or component, as no official vendor patch or countermeasure has been reported. As a temporary workaround, you can implement input validation and sanitization on the 'callback' parameter to prevent script injection. Restricting access to the vulnerable API endpoint and monitoring for suspicious requests may also help reduce risk until a proper fix is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.