CVE-2026-10203

Name of the Vulnerable Software and Affected Versions OFCMS version 1.1.3

Description A SQL injection flaw exists in the JSON Query Interface component. The issue is located in the Query() function within the file ofcms-adminsrcmainjavacomofsoftcmsadmincontrollersystemSystemParamController.java. This flaw allows a remote attacker to manipulate queries via the system parameter controller.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the Query() function in the SystemParamController.java file to minimize the risk of exploitation.