Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
SQL injection in OFCMS 1.1.3 allows remote low-privileged attackers to manipulate database queries through the Query function of SystemDictController.java's JSON Query Interface. Attackers with a valid low-privilege account can send crafted input to this endpoint to read, modify, or partially disrupt data within the application's database scope. No public exploit identified at time of analysis beyond publicly available proof-of-concept code; the project maintainer has not responded to the responsible disclosure filed via Gitee issue, leaving the vulnerability unpatched.
Technical ContextAI
OFCMS is a Java-based open-source content management system hosted on Gitee (oufu/ofcms). The vulnerable code resides in ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemDictController.java, specifically within the Query function exposed through a JSON Query Interface - an administrative endpoint that accepts JSON-formatted query parameters and passes them to a backend database layer. The root cause is classified under CWE-74 (Injection), the broad injection parent class, with the specific manifestation being SQL injection: user-supplied input is not properly sanitized or parameterized before being incorporated into a database query. The affected version is 1.1.3 per the CVE description; no CPE string was provided, so version bounds beyond 1.1.3 cannot be confirmed from available data. The CVSS 4.0 vector (E:P) confirms proof-of-concept exploit code exists, consistent with the description noting the exploit is publicly available.
RemediationAI
No vendor-released patch has been identified at time of analysis. The project maintainer was notified via a Gitee issue (https://gitee.com/oufu/ofcms/issues/IJLIBT) but has not responded, leaving no official fix or remediation guidance. Until a patch is released, organizations should apply the following compensating controls: restrict access to the affected JSON Query Interface endpoint at the network or application layer so that only explicitly trusted, known-good user accounts can reach it - this reduces but does not eliminate risk since PR:L means any low-privilege account qualifies as an attacker. Implement a web application firewall (WAF) rule to detect and block common SQL injection payloads in JSON request bodies targeting /system/dict or equivalent route patterns; note that WAF bypass techniques exist and this is not a definitive control. Audit existing low-privilege accounts and remove unnecessary ones to reduce the attacker pool. Monitor database query logs for anomalous patterns such as UNION-based or boolean-blind injection signatures. If OFCMS is not business-critical, consider taking the admin interface offline or restricting it to an internal-only network segment until a patch is available. Track the Gitee issue and VulDB entry at https://vuldb.com/vuln/367482 for any upstream patch release.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33524
GHSA-h3m3-44j8-3cv6