Description
A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the JSON query interface of OFCMS allows attackers to inject arbitrary SQL through the query method in the SystemParamController class. This injection can result in the execution of unintended SQL statements, potentially exposing or altering configuration data stored in the database. The vulnerability is identified as CWE‑74 and CWE‑89, reflecting both generic input validation and parameterization weaknesses.

Affected Systems

The vulnerable product is OFCMS 1.1.3. The flaw is located in the admin module under SystemParamController, and no other vendors or versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog. The known public exploit demonstrates that attackers can launch this attack remotely via the JSON query interface. Successful exploitation would allow the attacker to read or modify database contents, depending on the permissions of the database user used by the application.

Generated by OpenCVE AI on June 1, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or update to a fixed OFCMS release as soon as it is available.
  • If a patch is not yet released, disable or restrict access to the JSON query endpoint until a fix is issued.
  • Implement proper input validation and use parameterized queries in the SystemParamController to prevent injection.
  • Reduce the database privileges of the application account and monitor for anomalous activity.

Generated by OpenCVE AI on June 1, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title OFCMS JSON Query SystemParamController.java query sql injection
First Time appeared Ofcms
Ofcms ofcms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:ofcms:ofcms:*:*:*:*:*:*:*:*
Vendors & Products Ofcms
Ofcms ofcms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ofcms Ofcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T13:27:15.237Z

Reserved: 2026-05-31T06:36:10.663Z

Link: CVE-2026-10203

cve-icon Vulnrichment

Updated: 2026-06-01T13:27:08.231Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T00:16:42.257

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T02:30:17Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')