CVE-2026-0588 identifies a cross-site scripting (XSS) vulnerability in Xinhu Rainrock RockOA, an office automation platform, affecting versions 2.7.0 and 2.7.1. The vulnerability resides in the rockfun.php file within the API component, where the 'callback' parameter is improperly sanitized. This allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser when they access a crafted URL. The attack vector is remote and does not require prior authentication, but user interaction is necessary to trigger the payload. The vulnerability leverages reflected XSS, which can be used to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The vendor was notified early but has not issued a patch or response, and no official fixes or mitigations have been published. The CVSS v4.0 score is 5.1, reflecting medium severity due to the ease of exploitation and potential impact on confidentiality and integrity, but limited impact on availability. No known exploits are currently active in the wild, but public disclosure increases the risk of exploitation attempts. Organizations using RockOA should assess exposure and implement compensating controls while awaiting vendor remediation.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the victim's browser. Successful exploitation can lead to session hijacking, theft of sensitive information such as credentials, unauthorized actions performed on behalf of the user, and potential phishing or malware distribution. While availability is not directly affected, the trustworthiness of the affected application is undermined, potentially leading to reputational damage. Organizations relying on RockOA for internal communication and workflow automation could face operational disruptions if attackers leverage this vulnerability to escalate privileges or move laterally within the network. The risk is heightened in environments with high-value targets such as government agencies, large enterprises, or organizations handling sensitive data. The lack of vendor response and patch availability increases the window of exposure, making timely mitigation critical.

Given the absence of an official patch, organizations should implement the following specific mitigations: 1) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests containing malicious 'callback' parameter payloads targeting rockfun.php. 2) Conduct input validation and output encoding at the application layer if possible, by customizing or extending RockOA code to sanitize the 'callback' parameter rigorously. 3) Restrict access to the API endpoint rockfun.php to trusted internal networks or authenticated users only, using network segmentation and access control lists. 4) Educate users about the risks of clicking on untrusted links and implement browser security features such as Content Security Policy (CSP) to limit script execution scope. 5) Monitor logs for unusual requests or error patterns related to the API component to detect exploitation attempts early. 6) Consider deploying reverse proxies that can filter or rewrite malicious inputs. 7) Maintain regular backups and incident response plans to quickly recover if exploitation occurs. Organizations should also engage with Xinhu for updates and track security advisories for eventual patches.