CVE-2026-10193

Name of the Vulnerable Software and Affected Versions OFCMS versions prior to 1.1.4

Description A security flaw allows remote attackers to perform SQL injection, which is a technique used to manipulate database queries. The issue exists within the Query() function of the ComnController component, specifically in the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollerComnController.java. The flaw is triggered by manipulating the system.user.query argument.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the Query() function in the ComnController component to minimize the risk of exploitation.