Is there a public PoC exploit available for CVE-2026-10567?

Yes, a public proof-of-concept exploit is available for CVE-2026-10567. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-10567?

Yes, a patch is available for CVE-2026-10567. Update the affected software to the latest version immediately.

CordysCRM CVE-2026-10567

Q: What is the CVSS score of CVE-2026-10567?

CVE-2026-10567 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33875 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-06-02 VulDB

GHSA-v567-42w8-4xx7

XSS Java

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

CVSS changed

Jun 02, 2026 - 03:22 NVD

3.5 (LOW) 2.0 (LOW)

Source Code Evidence Fetched

Jun 02, 2026 - 02:46 vuln.today

Analysis Generated

Jun 02, 2026 - 02:46 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended.

AnalysisAI

Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate with low-privilege CRM account

Delivery

Craft XSS payload in Description field

Exploit

Submit via ModuleFormController Save endpoint

Install

Payload stored unescaped in database

Victim user views affected module form page

Execute

Browser executes injected script

Impact

Attacker exfiltrates session token or performs unauthorized actions

Recon

Authenticate with low-privilege CRM account

Delivery

Craft XSS payload in Description field

Exploit

Submit via ModuleFormController Save endpoint

Install

Payload stored unescaped in database

Victim user views affected module form page

Execute

Browser executes injected script

Impact

Attacker exfiltrates session token or performs unauthorized actions

Vulnerability AssessmentAI

Exploitation	The attacker must hold a valid low-privilege authenticated account on the CordysCRM instance (PR:L confirmed by CVSS vector), specifically one with write access to module form records via ModuleFormController. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.5 (Low) base score accurately reflects constrained real-world impact: the attack is network-reachable with low complexity (AV:N/AC:L), but requires a valid authenticated account (PR:L) and a separate victim to interact with the malicious content (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated low-privilege CRM user crafts a module form Description field containing a JavaScript payload such as a cookie-stealing script and submits it via the ModuleFormController Save endpoint. The payload is stored in the database without sanitization. …
Remediation	Upgrade CordysCRM to version 1.7.0 or later, confirmed via the vendor GitHub release at https://github.com/1Panel-dev/CordysCRM/releases/tag/v1.7.0 and patch commit c87682afa8df79853299f75489c9d333f7bc5fce (PR #2356 at https://github.com/1Panel-dev/CordysCRM/pull/2356). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2026-10567 vulnerability details – vuln.today

Back