CVE-2026-10567: Cross Site Scripting in 1Panel-dev CordysCRM
CVE-2026-10567 is a cross-site scripting (XSS) vulnerability in 1Panel-dev CordysCRM versions up to 1. 4. 1. The vulnerability exists in the Save function of the ModuleFormService. java file within the ModuleFormController component. It is triggered by manipulation of the Description argument, allowing remote attackers to execute XSS attacks. A public exploit has been disclosed. Upgrading to version 1. 7. 0 addresses this issue.
AI Analysis
Technical Summary
This vulnerability affects 1Panel-dev CordysCRM up to version 1.4.1 in the Save function of the ModuleFormService.java file. The Description parameter can be manipulated to perform cross-site scripting attacks, which may be initiated remotely. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity). A patch is available in version 1.7.0, identified by commit c87682afa8df79853299f75489c9d333f7bc5fce.
Potential Impact
Successful exploitation allows an attacker to perform cross-site scripting attacks by injecting malicious scripts via the Description argument. This can lead to execution of arbitrary scripts in the context of the affected application, potentially compromising user sessions or data. The vulnerability is remotely exploitable and a public exploit exists, increasing the risk of attack.
Mitigation Recommendations
Upgrade the affected CordysCRM component to version 1.7.0 or later, which contains the official fix for this vulnerability (commit c87682afa8df79853299f75489c9d333f7bc5fce). No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the availability of the fixed version.
CVE-2026-10567: Cross Site Scripting in 1Panel-dev CordysCRM
Description
CVE-2026-10567 is a cross-site scripting (XSS) vulnerability in 1Panel-dev CordysCRM versions up to 1. 4. 1. The vulnerability exists in the Save function of the ModuleFormService. java file within the ModuleFormController component. It is triggered by manipulation of the Description argument, allowing remote attackers to execute XSS attacks. A public exploit has been disclosed. Upgrading to version 1. 7. 0 addresses this issue.
CVSS v4.0
Score 5.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects 1Panel-dev CordysCRM up to version 1.4.1 in the Save function of the ModuleFormService.java file. The Description parameter can be manipulated to perform cross-site scripting attacks, which may be initiated remotely. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity). A patch is available in version 1.7.0, identified by commit c87682afa8df79853299f75489c9d333f7bc5fce.
Potential Impact
Successful exploitation allows an attacker to perform cross-site scripting attacks by injecting malicious scripts via the Description argument. This can lead to execution of arbitrary scripts in the context of the affected application, potentially compromising user sessions or data. The vulnerability is remotely exploitable and a public exploit exists, increasing the risk of attack.
Mitigation Recommendations
Upgrade the affected CordysCRM component to version 1.7.0 or later, which contains the official fix for this vulnerability (commit c87682afa8df79853299f75489c9d333f7bc5fce). No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the availability of the fixed version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-01T16:36:54.499Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1e40ffe29bf47b506f6bae
Added to database: 6/2/2026, 2:33:35 AM
Last enriched: 6/2/2026, 2:48:52 AM
Last updated: 6/2/2026, 3:54:19 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.