Description
A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A cross‑site scripting weakness exists in the rockfun.php API of Xinhu Rainrock RockOA up to version 2.7.1. By sending a crafted request that manipulates the "callback" argument, an attacker can cause arbitrary script execution in the browser of victim users. The vulnerability permits injection of malicious content that is reflected by the server and executed on the client, potentially leading to session hijacking or data theft. The flaw falls under CWE‑79 and CWE‑94.

Affected Systems

The vulnerable product is Xinhu Rainrock RockOA, all releases through 2.7.1. No other vendor or product is mentioned.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. EPSS is lower than 1 %, so exploitation likelihood is low at the time of this analysis. It is not listed in the CISA KEV catalog, implying no known massive exploitation campaigns. The attack vector is remote; an attacker can trigger the flaw over the network by calling the API with a malicious callback parameter. Publicly available exploit code has been released, so defense in depth, such as input validation or disabling the vulnerable API, is recommended.

Generated by OpenCVE AI on April 18, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RockOA to a version newer than 2.7.1 where the rockfun.php callback handling is sanitized.
  • If an upgrade is not immediately possible, modify the API configuration or code to block or remove the "callback" parameter, or enforce strict input validation that rejects script tags.
  • Deploy a web application firewall rule that detects and blocks reflected XSS payloads targeting the rockfun.php endpoint.
  • Monitor application logs for unusual callback parameter traffic and enforce rate limiting on API calls.

Generated by OpenCVE AI on April 18, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rockoa:rockoa:*:*:*:*:*:*:*:*

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Rockoa
Rockoa rockoa
Rockoa xinhu
Xinhu
Xinhu rockoa
Vendors & Products Rockoa
Rockoa rockoa
Rockoa xinhu
Xinhu
Xinhu rockoa

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Xinhu Rainrock RockOA API rockfun.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rockoa Rockoa Xinhu
Xinhu Rockoa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:17:40.034Z

Reserved: 2026-01-04T17:56:37.393Z

Link: CVE-2026-0588

cve-icon Vulnrichment

Updated: 2026-01-05T21:12:21.424Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-05T12:15:45.737

Modified: 2026-01-22T17:15:05.390

Link: CVE-2026-0588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses