CVE-2026-10203
Deferred Deferred - Pending Action
SQL Injection in OFCMS 1.1.3 JSON Query Interface

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10203
EUVD
EUVD-2026-33525
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ofsoft ofcms 1.1.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an SQL injection flaw in OFCMS version 1.1.3, specifically in the Query function of the SystemParamController.java file. It occurs because the 'field' parameter is not properly validated and is directly appended to the ORDER BY clause in SQL queries. Attackers can exploit this by injecting malicious SQL code through the 'field' parameter, enabling blind SQL injection attacks that use nested subqueries and Boolean logic.

The vulnerability allows attackers to send crafted payloads to extract sensitive data from the database, such as the admin user's password. The attack involves determining the password length and then brute-forcing each character to reconstruct the full password.

The root cause is the lack of input filtering and the absence of a whitelist for allowed fields in the ORDER BY clause, which leads to the direct inclusion of user-controlled input in SQL queries.

Compliance Impact

The SQL injection vulnerability in OFCMS 1.1.3 allows attackers to extract sensitive data, including the admin user's password. This unauthorized access to sensitive information can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.

Failure to mitigate this vulnerability may result in non-compliance with these standards due to inadequate data security controls, potentially leading to legal and financial consequences.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the database. Specifically, attackers can extract confidential information such as the administrator's password.

Successful exploitation can lead to a full compromise of the administrative account, allowing attackers to control the system, manipulate data, and potentially escalate their privileges.

Since the attack can be launched remotely without user interaction, it increases the risk of widespread exploitation.

Detection Guidance

This vulnerability can be detected by testing the /admin/system/param/query.json interface for SQL injection through the 'field' parameter. Specifically, crafted payloads can be sent to the 'field' and 'sort' parameters to check if SQL injection is possible by observing responses to blind SQL injection attempts.

For detection, you can use tools like curl or sqlmap to send payloads targeting the 'field' parameter to see if the backend SQL query is vulnerable.

  • Example curl command to test injection: curl -G 'http://<target>/admin/system/param/query.json' --data-urlencode "field=1' OR '1'='1" --data-urlencode "sort=asc"
  • Using sqlmap: sqlmap -u "http://<target>/admin/system/param/query.json?field=fieldname&sort=asc" --param-del=field --batch
Mitigation Strategies

Immediate mitigation steps include filtering user input data for the 'field' parameter and implementing a whitelist of allowed fields that can be used in SQL ORDER BY clauses.

Ensure that only predefined, safe fields are appended to SQL queries to prevent injection.

Additionally, monitor and restrict access to the vulnerable interface and consider applying any patches or updates once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart