Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
CVE-2026-10567: CordysCRM Save Function Cross-Site Scripting Risk
CVE-2026-10567
Summary
A security risk has been found in the Save function of CordysCRM, which allows an attacker to inject malicious code. This could happen if an attacker sends a specially crafted request to the system. To fix this issue, upgrade to version 1.7.0 of CordysCRM.
Original title
A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the c...
Original description
A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.
nvd CVSS2.0
4.0
nvd CVSS3.1
3.5
nvd CVSS4.0
2.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-94
Code Injection
- https://github.com/1Panel-dev/CordysCRM/
- https://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f...
- https://github.com/1Panel-dev/CordysCRM/issues/2233
- https://github.com/1Panel-dev/CordysCRM/pull/2356
- https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0
- https://vuldb.com/cve/CVE-2026-10567
- https://vuldb.com/submit/829316
- https://vuldb.com/vuln/367674
- https://vuldb.com/vuln/367674/cti
Published: 2 Jun 2026 · Updated: 2 Jun 2026 · First seen: 2 Jun 2026