Skip to main content

OFCMS CVE-2026-10202

| EUVDEUVD-2026-33524 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-01 cna@vuldb.com GHSA-h3m3-44j8-3cv6
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 00:26 vuln.today

DescriptionCVE.org

A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

SQL injection in OFCMS 1.1.3 allows remote low-privileged attackers to manipulate database queries through the Query function of SystemDictController.java's JSON Query Interface. Attackers with a valid low-privilege account can send crafted input to this endpoint to read, modify, or partially disrupt data within the application's database scope. No public exploit identified at time of analysis beyond publicly available proof-of-concept code; the project maintainer has not responded to the responsible disclosure filed via Gitee issue, leaving the vulnerability unpatched.

Technical ContextAI

OFCMS is a Java-based open-source content management system hosted on Gitee (oufu/ofcms). The vulnerable code resides in ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemDictController.java, specifically within the Query function exposed through a JSON Query Interface - an administrative endpoint that accepts JSON-formatted query parameters and passes them to a backend database layer. The root cause is classified under CWE-74 (Injection), the broad injection parent class, with the specific manifestation being SQL injection: user-supplied input is not properly sanitized or parameterized before being incorporated into a database query. The affected version is 1.1.3 per the CVE description; no CPE string was provided, so version bounds beyond 1.1.3 cannot be confirmed from available data. The CVSS 4.0 vector (E:P) confirms proof-of-concept exploit code exists, consistent with the description noting the exploit is publicly available.

RemediationAI

No vendor-released patch has been identified at time of analysis. The project maintainer was notified via a Gitee issue (https://gitee.com/oufu/ofcms/issues/IJLIBT) but has not responded, leaving no official fix or remediation guidance. Until a patch is released, organizations should apply the following compensating controls: restrict access to the affected JSON Query Interface endpoint at the network or application layer so that only explicitly trusted, known-good user accounts can reach it - this reduces but does not eliminate risk since PR:L means any low-privilege account qualifies as an attacker. Implement a web application firewall (WAF) rule to detect and block common SQL injection payloads in JSON request bodies targeting /system/dict or equivalent route patterns; note that WAF bypass techniques exist and this is not a definitive control. Audit existing low-privilege accounts and remove unnecessary ones to reduce the attacker pool. Monitor database query logs for anomalous patterns such as UNION-based or boolean-blind injection signatures. If OFCMS is not business-critical, consider taking the admin interface offline or restricting it to an internal-only network segment until a patch is available. Track the Gitee issue and VulDB entry at https://vuldb.com/vuln/367482 for any upstream patch release.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-10202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy