CVE-2026-10567
Deferred Deferred - Pending Action
Cross-Site Scripting in 1Panel-dev CordysCRM

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10567
EUVD
EUVD-2026-33875
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel-dev cordyscrm to 1.4.1 (inc)
1panel-dev cordyscrm 1.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10567 is a stored Cross-Site Scripting (XSS) vulnerability found in 1Panel-dev CordysCRM up to version 1.4.1. It affects the Save function in the ModuleFormController component, specifically in the handling of the Description argument. The vulnerability arises because the application does not properly validate or encode the Description parameter when saving form data, allowing an attacker to inject malicious JavaScript code.

An attacker can exploit this vulnerability remotely by submitting crafted input containing malicious scripts via the form save interface. When other users access the affected form, the injected script executes in their browsers, potentially leading to unauthorized actions or data theft.

The root cause is the lack of XSS filtering in multiple layers of the application, including ModuleFormController, ModuleFormCacheService, and ModuleFormService classes. The issue has been fixed by upgrading to version 1.7.0, which implements configurable URL-based XSS protection.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of users who access the affected form. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of user interactions within the application.

Since the malicious script is stored in the database and executed whenever the form is accessed, it poses a persistent threat that can affect multiple users over time.

Exploitation requires only that an attacker submit a specially crafted payload in the Description field, which then triggers the script execution in other users' browsers, potentially compromising sensitive information or application integrity.

Detection Guidance

This vulnerability can be detected by testing the /module/form/save interface for stored cross-site scripting (XSS) by submitting malicious payloads in the Description field. For example, injecting a payload like <img src=x onerror=alert('XSS')> into the description parameter can trigger the vulnerability if the system is affected.

Detection can involve sending HTTP POST requests to the vulnerable endpoint with crafted payloads and observing if the script executes when the form is accessed or saved.

Example command using curl to test the vulnerability:

  • curl -X POST https://[target-domain]/module/form/save -d "Description=<img src=x onerror=alert('XSS')>" -H "Content-Type: application/x-www-form-urlencoded"

If the alert box or script execution occurs when accessing the form, it indicates the presence of the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade CordysCRM to version 1.7.0 or later, where the vulnerability has been fixed.

Additional immediate measures include:

  • Implement input filtering and validation on the Description parameter using security libraries such as AntiSamy.
  • Ensure proper output escaping to prevent execution of injected scripts.
  • Configure Content Security Policy (CSP) headers to restrict inline script execution and reduce the impact of XSS attacks.
  • Apply configurable URL-based XSS filtering as introduced in the patch, by setting the `xss.protection.url.list` property in the cordys-crm.properties file to specify which URLs require XSS protection.
Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious scripts which execute in users' browsers. Such vulnerabilities can lead to unauthorized actions or data theft.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, stored XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Exploitation of this vulnerability could potentially lead to unauthorized access or exposure of personal or sensitive data, thereby impacting compliance with data protection regulations that require safeguarding user data against such attacks.

Mitigation steps such as upgrading to version 1.7.0, implementing input filtering, output escaping, and configuring Content Security Policy (CSP) are recommended to reduce the risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart