CVE-2026-0587 is a cross-site scripting vulnerability affecting Xinhu Rainrock RockOA versions 2.7.0 and 2.7.1. The vulnerability resides in the Cover Image Handler component, specifically within the rock_page_gong.php file, where the 'fengmian' parameter is improperly sanitized. This flaw allows an attacker to inject malicious JavaScript code remotely by manipulating this parameter, which is then executed in the context of the victim's browser when they access the affected page. The attack does not require authentication, making it accessible to unauthenticated remote attackers, but it does require user interaction to trigger the malicious payload. The vendor was notified early but has not issued any response or patch, and the exploit code has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The vulnerability does not affect availability or system control. No official patches or mitigation guidance have been released, leaving organizations reliant on temporary workarounds or input filtering. This vulnerability highlights the need for input validation and output encoding in web applications to prevent XSS attacks.

For European organizations using Xinhu Rainrock RockOA versions 2.7.0 or 2.7.1, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as credentials, and potential lateral movement within internal networks if attackers leverage stolen credentials. Since RockOA is an office automation platform, compromised accounts could expose confidential business communications, documents, and workflows, impacting data confidentiality and integrity. The lack of vendor response and patches increases exposure time, raising the risk of targeted attacks. Organizations in sectors with high regulatory requirements (e.g., finance, healthcare, government) could face compliance violations if data breaches occur. Additionally, the public availability of exploit code lowers the barrier for attackers, including opportunistic threat actors. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the exploit, amplifying the threat. Overall, the vulnerability could disrupt business operations and damage organizational reputation if exploited.

1. Implement strict input validation and output encoding on the 'fengmian' parameter within RockOA to neutralize malicious scripts until an official patch is available. 2. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable parameter. 3. Educate users to recognize and avoid suspicious links or content that could trigger the XSS attack, reducing the risk of user interaction exploitation. 4. Monitor web server logs and application behavior for unusual requests or error patterns indicative of exploitation attempts. 5. Restrict access to the RockOA application to trusted networks or VPNs to limit exposure to external attackers. 6. Regularly back up critical data and ensure incident response plans include XSS attack scenarios. 7. Engage with Xinhu or community forums to track patch releases or unofficial fixes and apply them promptly. 8. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of injected scripts by restricting script execution sources. These measures collectively reduce the attack surface and mitigate the risk until an official patch is released.