1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting_CVE-2026-10567

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.

Basic Information

ID CVE-2026-10567

Source VulDB

Published Jun 2, 2026 at 02:00

Affected Product

Vendor 1Panel-dev

Product CordysCRM

Version 1.4.0

Affected Versions 1Panel-dev CordysCRM 1.4.0
1Panel-dev CordysCRM 1.4.1

CWE Classification

CWE-79 CWE-94

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.",
    "published": "2026-06-02T02:00:15.087Z",
    "modified": "2026-06-02T02:00:15.087Z",
    "type": "cve",
    "title": "1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/367674\nhttps://vuldb.com/vuln/367674/cti\nhttps://vuldb.com/cve/CVE-2026-10567\nhttps://vuldb.com/submit/829316\nhttps://github.com/1Panel-dev/CordysCRM/issues/2233\nhttps://github.com/1Panel-dev/CordysCRM/pull/2356\nhttps://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f7bc5fce\nhttps://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0\nhttps://github.com/1Panel-dev/CordysCRM/",
    "id": "CVE-2026-10567",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "1Panel-dev CordysCRM 1.4.0\n1Panel-dev CordysCRM 1.4.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CordysCRM",
    "version": "1.4.0",
    "vendor": "1Panel-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}