CVE-2026-10567
Cross-Site Scripting in 1Panel-dev CordysCRM
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel-dev | cordyscrm | to 1.4.1 (inc) |
| 1panel-dev | cordyscrm | 1.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10567 is a stored Cross-Site Scripting (XSS) vulnerability found in 1Panel-dev CordysCRM up to version 1.4.1. It affects the Save function in the ModuleFormController component, specifically in the handling of the Description argument. The vulnerability arises because the application does not properly validate or encode the Description parameter when saving form data, allowing an attacker to inject malicious JavaScript code.
An attacker can exploit this vulnerability remotely by submitting crafted input containing malicious scripts via the form save interface. When other users access the affected form, the injected script executes in their browsers, potentially leading to unauthorized actions or data theft.
The root cause is the lack of XSS filtering in multiple layers of the application, including ModuleFormController, ModuleFormCacheService, and ModuleFormService classes. The issue has been fixed by upgrading to version 1.7.0, which implements configurable URL-based XSS protection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of users who access the affected form. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of user interactions within the application.
Since the malicious script is stored in the database and executed whenever the form is accessed, it poses a persistent threat that can affect multiple users over time.
Exploitation requires only that an attacker submit a specially crafted payload in the Description field, which then triggers the script execution in other users' browsers, potentially compromising sensitive information or application integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /module/form/save interface for stored cross-site scripting (XSS) by submitting malicious payloads in the Description field. For example, injecting a payload like <img src=x onerror=alert('XSS')> into the description parameter can trigger the vulnerability if the system is affected.
Detection can involve sending HTTP POST requests to the vulnerable endpoint with crafted payloads and observing if the script executes when the form is accessed or saved.
Example command using curl to test the vulnerability:
- curl -X POST https://[target-domain]/module/form/save -d "Description=<img src=x onerror=alert('XSS')>" -H "Content-Type: application/x-www-form-urlencoded"
If the alert box or script execution occurs when accessing the form, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade CordysCRM to version 1.7.0 or later, where the vulnerability has been fixed.
Additional immediate measures include:
- Implement input filtering and validation on the Description parameter using security libraries such as AntiSamy.
- Ensure proper output escaping to prevent execution of injected scripts.
- Configure Content Security Policy (CSP) headers to restrict inline script execution and reduce the impact of XSS attacks.
- Apply configurable URL-based XSS filtering as introduced in the patch, by setting the `xss.protection.url.list` property in the cordys-crm.properties file to specify which URLs require XSS protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious scripts which execute in users' browsers. Such vulnerabilities can lead to unauthorized actions or data theft.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, stored XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Exploitation of this vulnerability could potentially lead to unauthorized access or exposure of personal or sensitive data, thereby impacting compliance with data protection regulations that require safeguarding user data against such attacks.
Mitigation steps such as upgrading to version 1.7.0, implementing input filtering, output escaping, and configuring Content Security Policy (CSP) are recommended to reduce the risk and help maintain compliance.