CVE-2026-0588 is a cross-site scripting (XSS) vulnerability identified in Xinhu Rainrock RockOA, specifically affecting versions 2.7.0 and 2.7.1. The flaw exists in the rockfun.php file within the API component, where improper sanitization or validation of the 'callback' parameter allows an attacker to inject malicious JavaScript code. This vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary, typically by convincing a user to click a crafted URL or visit a malicious webpage. The XSS attack can lead to execution of arbitrary scripts in the context of the victim’s browser, enabling session hijacking, theft of sensitive information, or performing unauthorized actions on behalf of the user. The vendor was contacted early but has not provided any response or patch, and public exploit code is available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1, reflecting medium severity due to network attack vector, low complexity, no privileges required, but requiring user interaction and limited impact on integrity and availability. No known exploits in the wild have been reported yet, but the presence of public exploit code suggests potential for future attacks. The vulnerability affects an unknown functionality within the API, indicating that the attack surface may be limited to specific API calls or workflows within RockOA. Organizations using affected versions should consider this vulnerability a moderate risk and take proactive steps to mitigate exposure.

For European organizations using Xinhu Rainrock RockOA versions 2.7.0 or 2.7.1, this vulnerability poses a risk of client-side script injection leading to session hijacking, credential theft, or unauthorized actions within the application. This can result in data breaches, unauthorized access to sensitive corporate information, and potential lateral movement within the network if attackers leverage stolen credentials. The impact is particularly relevant for organizations relying on RockOA for internal collaboration, document management, or workflow automation, as compromised user sessions could disrupt business operations and erode trust. Since the attack requires user interaction, phishing or social engineering campaigns could be used to exploit this vulnerability. The lack of vendor response and patches increases the window of exposure, making timely mitigation critical. While the vulnerability does not directly affect system availability or integrity at a high level, the confidentiality impact and potential for privilege escalation through session compromise are significant. European entities in regulated sectors such as finance, healthcare, or government may face compliance risks if this vulnerability leads to data leakage.

1. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'callback' parameter in rockfun.php API requests. 2. Employ strict input validation and output encoding on all user-controllable parameters, especially the 'callback' argument, to neutralize script injection attempts. 3. Educate users about phishing risks and suspicious links to reduce the likelihood of successful user interaction exploitation. 4. Monitor application logs for unusual API requests or patterns indicative of exploitation attempts. 5. If feasible, restrict access to the vulnerable API endpoint to trusted IP ranges or via VPN to reduce exposure. 6. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 7. Engage with the vendor or community to track patch releases and apply updates promptly once available. 8. As a temporary workaround, disable or limit the functionality involving the 'callback' parameter if it is not essential to business operations. 9. Conduct regular security assessments and penetration tests focusing on API endpoints to identify similar vulnerabilities. 10. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.