CVE-2026-0587 is a cross-site scripting (XSS) vulnerability identified in Xinhu Rainrock RockOA, a widely used office automation platform, specifically in versions 2.7.0 and 2.7.1. The vulnerability resides in the rock_page_gong.php file within the Cover Image Handler component. The issue stems from improper sanitization of the 'fengmian' parameter, which can be manipulated by an attacker to inject arbitrary JavaScript code. This flaw is exploitable remotely without requiring authentication, although it necessitates user interaction to execute the malicious payload, such as clicking a crafted link or visiting a malicious page. The vendor was notified early but has not provided a patch or response, and public exploit code has been released, increasing the likelihood of exploitation in the wild. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the ease of remote exploitation but limited impact on confidentiality and availability. The vulnerability can be leveraged to perform session hijacking, steal credentials, or conduct phishing attacks within the RockOA environment, potentially compromising sensitive organizational data. The lack of vendor response and absence of official patches necessitate immediate defensive measures by users of the affected versions.

The exploitation of CVE-2026-0587 can lead to significant security risks for organizations using Xinhu Rainrock RockOA. Successful XSS attacks can enable attackers to hijack user sessions, steal authentication tokens, or execute unauthorized actions on behalf of legitimate users. This can result in unauthorized access to sensitive corporate information, disruption of business processes, and potential lateral movement within internal networks. Since RockOA is often used for office automation and document management, compromised accounts could expose confidential communications and documents. The public availability of exploit code increases the risk of widespread attacks, especially in environments where user awareness is low or where additional security controls are lacking. Although the vulnerability does not directly impact system availability or integrity, the confidentiality breach potential and the ability to impersonate users make it a serious concern for affected organizations.

1. Implement strict input validation and output encoding on the 'fengmian' parameter within the Cover Image Handler component to neutralize malicious scripts. 2. Deploy a Web Application Firewall (WAF) with custom rules to detect and block XSS payloads targeting the vulnerable parameter. 3. Educate users to be cautious with unsolicited links or unexpected content within RockOA, reducing the risk of triggering malicious scripts. 4. Monitor web server and application logs for unusual requests or patterns indicative of exploitation attempts. 5. Isolate or restrict access to RockOA instances to trusted networks and users to limit exposure. 6. Regularly back up critical data and maintain incident response plans to quickly address potential breaches. 7. Engage with Xinhu or community forums to track any forthcoming patches or official advisories. 8. Consider upgrading to newer versions or alternative solutions if available and secure. These steps provide layered defense until an official patch is released.