CVE-2026-10567
1Panel-dev CordysCRM ModuleFormController ModuleFormService.java save cross site scripting
CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th
A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.
| CWE | CWE-79 CWE-94 |
| Vendor | 1panel-dev |
| Product | cordyscrm |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for 1panel-dev cordyscrm
Be the first to know when new low vulnerabilities affecting 1panel-dev cordyscrm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
1Panel-dev / CordysCRM
1.4.0 1.4.1
References
vuldb.com: https://vuldb.com/vuln/367674 vuldb.com: https://vuldb.com/vuln/367674/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10567 vuldb.com: https://vuldb.com/submit/829316 github.com: https://github.com/1Panel-dev/CordysCRM/issues/2233 github.com: https://github.com/1Panel-dev/CordysCRM/pull/2356 github.com: https://github.com/1Panel-dev/CordysCRM/commit/c87682afa8df79853299f75489c9d333f7bc5fce github.com: https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0 github.com: https://github.com/1Panel-dev/CordysCRM/
Credits
๐ DaytimeHeaven (VulDB User)