CVE-2026-0587 identifies a cross-site scripting vulnerability in Xinhu Rainrock RockOA, a widely used office automation platform, affecting versions 2.7.0 and 2.7.1. The vulnerability exists in the rock_page_gong.php file within the Cover Image Handler component, where the 'fengmian' parameter is not properly sanitized before being reflected in the web page output. This flaw enables remote attackers to inject arbitrary JavaScript code that executes in the context of a victim’s browser when they access a crafted URL containing malicious payloads in the 'fengmian' parameter. The attack vector is network-based with low attack complexity and does not require authentication, but it does require user interaction, such as clicking a malicious link. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, credential theft, or unauthorized actions performed under the victim’s session. The vendor was informed early but has not issued any patches or advisories, and exploit code has been publicly released, increasing the risk of exploitation. The CVSS 4.0 score of 5.1 reflects a medium severity, considering the ease of exploitation and the limited scope of impact. No known exploits in the wild have been reported yet, but the availability of public exploits raises the likelihood of future attacks. The vulnerability highlights the need for improved input validation and output encoding in the affected component to prevent script injection.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of user sessions and data. Attackers could leverage the XSS flaw to steal authentication cookies, perform actions on behalf of users, or deliver further malware payloads. Organizations using RockOA for internal communications, document management, or workflow automation could face data breaches or operational disruptions. The lack of vendor response and patches increases exposure time, making it easier for attackers to exploit the vulnerability. If exploited in critical sectors such as government, finance, or healthcare, the impact could extend to regulatory non-compliance, reputational damage, and financial losses. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the attack, increasing the attack surface. European entities relying on RockOA should assess their exposure and implement compensating controls promptly to mitigate potential damage.

1. Implement strict input validation and output encoding for the 'fengmian' parameter to neutralize malicious scripts. 2. Deploy and configure Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting RockOA endpoints. 3. Educate users to recognize and avoid suspicious links or emails that could trigger XSS attacks. 4. Monitor web server logs and application behavior for unusual requests or error patterns indicative of exploitation attempts. 5. Isolate RockOA installations within secure network segments to limit exposure. 6. If possible, upgrade to a patched version when the vendor releases one or consider alternative software solutions. 7. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of injected scripts. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. 9. Maintain incident response readiness to quickly address any exploitation events. 10. Engage with Xinhu vendor or community forums to track updates and share mitigation strategies.