CVE-2026-10514
Deferred Deferred - Pending Action
Cross-Site Scripting in 1Panel-dev CordysCRM

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10514
EUVD
EUVD-2026-33853
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
1panel-dev cordyscrm to 1.6.2 (inc)
1panel-dev cordyscrm 1.7.0
1panel-dev cordyscrm 1.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in 1Panel-dev CordysCRM versions up to 1.6.2. It affects a function in the file RequestParamTrimConfig.java, where improper handling of request parameters allows an attacker to inject malicious scripts. These scripts can be executed in the browsers of users interacting with the affected system. The vulnerability can be exploited remotely, and the exploit has been publicly disclosed.

The vulnerability was addressed by introducing configurable URL-based XSS filtering rather than a global escape, allowing specific endpoints to be protected against XSS attacks. This fix was implemented in version 1.7.0.

Impact Analysis

This Cross-Site Scripting (XSS) vulnerability can allow attackers to inject malicious scripts into the application, which then execute in the browsers of users who visit affected pages. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as session tokens, or manipulation of the user interface.

Since the vulnerability can be exploited remotely, attackers do not need physical access to the system. The impact is limited to integrity (low severity) as per CVSS scores, but it can still compromise user trust and application security.

Detection Guidance

Detection of this vulnerability involves identifying attempts to exploit Cross-Site Scripting (XSS) in the affected CordysCRM versions up to 1.6.2, particularly targeting endpoints that process user input without proper sanitization.

Since the vulnerability relates to specific URL patterns where XSS filtering was not applied, monitoring HTTP requests to these endpoints for suspicious payloads (e.g., JavaScript code or HTML tags like <img src=x onerror=...>) can help detect exploitation attempts.

Commands to detect such attempts could include using network monitoring tools or web server logs to search for typical XSS payloads in request parameters. For example, using grep on server logs:

  • grep -i -E "<script|onerror=|<img|javascript:" /path/to/access.log
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect XSS payloads on the affected URLs.

Additionally, reviewing the configuration of the `xss.protection.url.list` in the cordys-crm.properties file can help identify which URLs require monitoring or filtering.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade CordysCRM to version 1.7.0 or later, where the vulnerability has been fixed.

Version 1.7.0 includes critical security fixes addressing XSS vulnerabilities by implementing configurable URL-based XSS filtering, allowing administrators to specify which endpoints require protection.

In addition to upgrading, it is advised to configure the `xss.protection.url.list` setting in the cordys-crm.properties file to specify the URLs that need XSS filtering, as the system does not apply global filtering by default.

Other recommended measures include:

  • Implement input validation and sanitization on user inputs, especially on endpoints that accept announcements or other user-generated content.
  • Apply output escaping when rendering content to prevent execution of malicious scripts.
  • Configure Content Security Policy (CSP) headers to restrict inline script execution and reduce impact of potential XSS.
Compliance Impact

The vulnerability is a Cross-Site Scripting (XSS) issue in CordysCRM that allows remote attackers to inject malicious scripts. Such vulnerabilities can lead to unauthorized script execution in users' browsers, potentially exposing sensitive data or enabling session hijacking.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Failure to mitigate XSS vulnerabilities could result in non-compliance with data protection requirements under GDPR and HIPAA, as these standards mandate appropriate security measures to protect personal and sensitive information from unauthorized access or disclosure.

Upgrading to CordysCRM version 1.7.0 and applying the recommended XSS protections (such as configurable URL filtering and input/output sanitization) helps reduce the risk and supports compliance efforts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart