CVE-2026-10567

Description

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-02 | Updated 2026-06-02 | Assigner VulDB

Problem types

Cross Site Scripting

Code Injection

Product status

Timeline

Credits

DaytimeHeaven (VulDB User) reporter

References

vuldb.com/vuln/367674 (VDB-367674 | 1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting) vdb-entry technical-description

vuldb.com/vuln/367674/cti (VDB-367674 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10567 (CVE-2026-10567 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/829316 (Submit #829316 | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS) third-party-advisory

github.com/1Panel-dev/CordysCRM/issues/2233 exploit issue-tracking

github.com/1Panel-dev/CordysCRM/pull/2356 issue-tracking patch

github.com/...ommit/c87682afa8df79853299f75489c9d333f7bc5fce patch

github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0 patch

github.com/1Panel-dev/CordysCRM/ product

cve.org (CVE-2026-10567)

nvd.nist.gov (CVE-2026-10567)

Download JSON