CVE-2026-10514 - Vulnerability Details

- 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting

Description

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.

Published: 2026-06-01

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross-site scripting vulnerability exists in the RequestParamTrimConfig.java component of 1Panel‑dev CordysCRM. The flaw exposes a function that can be supplied with unsanitized user input, allowing an attacker to inject arbitrary JavaScript into a victim’s browser session. The injected code can steal session cookies, deface pages, or perform malicious actions in the context of the authenticated user. This weakness is identified as CWE-79 and is also related to code‑generation errors indicated by CWE-94.

Affected Systems

The vulnerability affects CordysCRM versions up to and including 1.6.2 from 1Panel‑dev. The affected code resides in backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. Versions 1.7.0 and later contain a patched implementation that removes the vulnerability.

Risk and Exploitability

The CVSS score of 4.8 suggests moderate, and the EPSS score is not available, indicating no publicly known exploitation rate yet. The issue is not listed in the CISA KEV catalog. Remote exploitation is possible, as the flaw can be triggered without local access by submitting crafted payloads to the vulnerable endpoint. If an attacker can deliver the payload, they may achieve a cross‑site scripting attack against users interacting with the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

1Panel-dev

CordysCRM

affected

Version	Status	Constraints
`1.6.0`	affected	—
`1.6.1`	affected	—
`1.6.2`	affected	—
`1.7.0`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CordysCRM to version 1.7.0 or later, which incorporates the patch identified by commit c87682afa8df79853299f75489c9d333f7bc5fce
Apply stringent input validation to all request parameters according to CWE-79 best practices to further harden the application against XSS
If an immediate upgrade is not feasible, temporarily disable or restrict the exposed vulnerable functionality until the patch is applied

Generated by OpenCVE AI on June 2, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/1Panel-dev/CordysCRM/
https://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f7bc5fce
https://github.com/1Panel-dev/CordysCRM/issues/2229
https://github.com/1Panel-dev/CordysCRM/pull/2356
https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0
https://vuldb.com/cve/CVE-2026-10514
https://vuldb.com/submit/828296
https://vuldb.com/vuln/367596
https://vuldb.com/vuln/367596/cti

History

Tue, 02 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.
Title		1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting
First Time appeared		1panel-dev 1panel-dev cordyscrm
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:1panel-dev:cordyscrm::::::::
Vendors & Products		1panel-dev 1panel-dev cordyscrm
References		https://github.com/1Panel-dev/CordysCRM/ https://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f7bc5fce https://github.com/1Panel-dev/CordysCRM/issues/2229 https://github.com/1Panel-dev/CordysCRM/pull/2356 https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0 https://vuldb.com/cve/CVE-2026-10514 https://vuldb.com/submit/828296 https://vuldb.com/vuln/367596 https://vuldb.com/vuln/367596/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

1panel-dev Cordyscrm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T23:45:12.138Z

Updated: 2026-06-01T23:45:12.138Z

Reserved: 2026-06-01T05:49:54.439Z

Link: CVE-2026-10514

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-02T00:16:36.793

Modified: 2026-06-02T00:16:36.793

Link: CVE-2026-10514

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T02:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object