Home

Description

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-01 | Updated 2026-06-02 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 2.4CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
LOW: 2.4CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
3.3AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C

Problem types

Cross Site Scripting

Code Injection

Product status

1.6.0
affected

1.6.1
affected

1.6.2
affected

1.7.0
unaffected

Timeline

2026-06-01:Advisory disclosed
2026-06-01:VulDB entry created
2026-06-01:VulDB entry last update

Credits

DaytimeHeaven (VulDB User) reporter

References

vuldb.com/vuln/367596 (VDB-367596 | 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting) vdb-entry

vuldb.com/vuln/367596/cti (VDB-367596 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10514 (CVE-2026-10514 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/828296 (Submit #828296 | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS) third-party-advisory

github.com/1Panel-dev/CordysCRM/issues/2229 exploit issue-tracking

github.com/1Panel-dev/CordysCRM/pull/2356 issue-tracking patch

github.com/...ommit/c87682afa8df79853299f75489c9d333f7bc5fce patch

github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0 patch

github.com/1Panel-dev/CordysCRM/ product

cve.org (CVE-2026-10514)

nvd.nist.gov (CVE-2026-10514)

Download JSON