CVE-2026-31845

Name of the Vulnerable Software and Affected Versions Rukovoditel CRM versions 3.6.4 and earlier

Description A reflected cross-site scripting (XSS) issue exists in the Zadarma telephony API endpoint ('/api/tel/zadarma.php'). The application reflects user-supplied input from the zd echo GET parameter into the HTTP response without proper sanitization. The vulnerable code directly outputs the value of the zd echo parameter using the exit() function. An unauthenticated attacker can exploit this by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.

Recommendations Update to version 3.7 or later, which includes proper input validation and output encoding to prevent script injection.