Description
A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OFCMS allows an attacker to inject arbitrary SQL through the JSON query endpoint exposed in the SystemDictController. This flaw corresponds to CWE-74 and CWE-89. The input is constructed in the Query function without proper sanitization, enabling execution of arbitrary statements on the backend database. A successful exploitation would allow the attacker to read, modify or delete data stored in the database, compromising confidentiality, integrity and potentially availability of the system.

Affected Systems

The affected system is OFCMS version 1.1.3. The flaw resides in the SystemDictController class located under the /ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/ directory, specifically the Query method handling JSON requests. Users deploying this version of OFCMS without a fix are therefore exposed to the risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score is not available, so the current model does not provide a specific estimate of exploitation probability. The vulnerability is not listed in the CISA KEV catalog and the vendor has not yet provided a public fix. Exploitation can be performed remotely by sending a crafted JSON payload to the exposed endpoint, and publicly available proof‑of‑concept code suggests the attack could be automated. Until the vendor issues a patch, the likely attack vector remains the remote JSON query interface.

Generated by OpenCVE AI on June 1, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a later version of OFCMS that removes the unsanitized query handling.
  • If a patch is not yet released, restrict access to the /admin JSON query endpoint by network segmentation, firewall rules, or IP whitelisting to prevent remote exploitation.
  • Implement input validation or an application firewall that detects and blocks malicious SQL injection patterns targeting the query parameters before they reach the database.

Generated by OpenCVE AI on June 1, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 31 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title OFCMS JSON Query SystemDictController.java query sql injection
First Time appeared Ofcms
Ofcms ofcms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:ofcms:ofcms:*:*:*:*:*:*:*:*
Vendors & Products Ofcms
Ofcms ofcms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ofcms Ofcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T18:43:43.917Z

Reserved: 2026-05-31T06:33:14.022Z

Link: CVE-2026-10202

cve-icon Vulnrichment

Updated: 2026-06-03T18:43:36.593Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T00:16:42.097

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T02:00:06Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')