Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.9
CVE-2026-10514: 1Panel-dev CordysCRM up to 1.6.2 allows malicious website code execution
CVE-2026-10514
Summary
An unknown function in 1Panel-dev CordysCRM allows attackers to inject malicious code into a website, potentially leading to unauthorized actions. This issue affects versions 1.6.2 and earlier. To fix it, upgrade to version 1.7.0 or later.
Original title
A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The ma...
Original description
A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.
nvd CVSS2.0
3.3
nvd CVSS3.1
2.4
nvd CVSS4.0
1.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-94
Code Injection
- https://github.com/1Panel-dev/CordysCRM/
- https://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f...
- https://github.com/1Panel-dev/CordysCRM/issues/2229
- https://github.com/1Panel-dev/CordysCRM/pull/2356
- https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0
- https://vuldb.com/cve/CVE-2026-10514
- https://vuldb.com/submit/828296
- https://vuldb.com/vuln/367596
- https://vuldb.com/vuln/367596/cti
Published: 2 Jun 2026 · Updated: 2 Jun 2026 · First seen: 2 Jun 2026