Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
SQL injection in OFCMS 1.1.3's JSON Query Interface allows authenticated remote attackers to manipulate database queries via the Query function in SystemParamController.java. A public proof-of-concept exploit has been released (CVSS E:P confirmed), while the vendor has not responded to the responsible disclosure report, leaving the vulnerability unpatched. The CVSS 4.0 score of 2.1 reflects low-privilege authentication requirements and limited blast radius, but the existence of public exploit code and the absence of any vendor patch elevates practical concern for deployments with internet-exposed admin interfaces.
Technical ContextAI
OFCMS is a Java-based open-source content management system hosted on Gitee. The vulnerability resides in the Query function of SystemParamController.java within the admin module at ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemParamController.java. The affected component is the JSON Query Interface, which processes user-supplied query parameters without adequate sanitization or parameterization. CWE-74 (Injection) is cited as the root cause class - broader than the more specific CWE-89 (SQL Injection) - indicating that user-controlled input is directly incorporated into database query construction without proper neutralization of special elements. This pattern typically arises when dynamic query building concatenates raw input strings rather than using prepared statements or ORM-level binding, a common anti-pattern in Java web applications using direct JDBC or lightweight query builders.
RemediationAI
No vendor-released patch has been identified at time of analysis - the OFCMS maintainers were notified via a Gitee issue report (https://gitee.com/oufu/ofcms/issues/IJLIYP) but have not responded. Organizations should immediately restrict network access to the OFCMS admin interface, particularly the system parameter and JSON Query Interface endpoints, to trusted IP ranges or internal networks only, as exploitation requires an authenticated session that is only reachable if the admin panel is exposed. Disabling or blocking access to the SystemParamController route (e.g., /system/param or equivalent admin query endpoints) via web server or reverse proxy ACLs reduces the attack surface without requiring application changes. Deploying a WAF rule targeting SQL injection signatures on admin API paths provides an additional compensating control, though WAF bypasses are possible with sufficiently obfuscated payloads. Enforce the principle of least privilege for all OFCMS admin accounts to limit the pool of users who could exploit this vulnerability. Monitor the Gitee repository at https://gitee.com/oufu/ofcms for any forthcoming patch and apply it immediately given the public PoC availability.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33525
GHSA-c5w8-92g9-6wrj