Description
A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.
Published: 2026-06-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ModuleFormService.save function where the Description argument is improperly escaped, allowing attackers to inject arbitrary script content into the web application. An injected script can execute within the victim’s browser, enabling session hijacking, defacement, or secondary attacks such as phishing. This weakness is identified by CWE-79 and could also involve executable code injection aspects identified by CWE-94.

Affected Systems

1Panel-dev CordysCRM versions up to and including 1.4.1 are vulnerable. The fix was introduced in release 1.7.0, and the patch commit identifier is c87682afa8df79853299f75489c9d333f7bc5fce.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the description states that an exploit has already been publicly disclosed and may be used. The attack can be initiated remotely by submitting a crafted Description value, and since it exploits a client-side scripting flaw, browsers that render the affected pages are a prerequisite.

Generated by OpenCVE AI on June 2, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 1Panel-dev CordysCRM to version 1.7.0 or later to apply the patch commit c87682afa8df79853299f75489c9d333f7bc5fce.
  • If upgrading is not immediately possible, restrict remote access to the ModuleFormController endpoint and monitor for anomalous input.
  • Configure the web application firewall or application to reject or sanitize the Description field to mitigate uncontrolled script execution until a patch is applied.

Generated by OpenCVE AI on June 2, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.
Title 1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting
First Time appeared 1panel-dev
1panel-dev cordyscrm
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:1panel-dev:cordyscrm:*:*:*:*:*:*:*:*
Vendors & Products 1panel-dev
1panel-dev cordyscrm
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

1panel-dev Cordyscrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T02:00:15.087Z

Reserved: 2026-06-01T16:36:54.499Z

Link: CVE-2026-10567

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T03:16:16.367

Modified: 2026-06-02T03:16:16.367

Link: CVE-2026-10567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:30:26Z

Weaknesses