CVE-2026-10204

Name of the Vulnerable Software and Affected Versions OFCMS version 1.1.3

Description A SQL injection flaw exists in the JSON Query Interface of the software. This issue occurs within the Query() function located in the ofcms-adminsrcmainjavacomofsoftcmsadmincontrollersystemSysUserController.java file. A remote attacker can manipulate this function to execute unauthorized SQL commands.

Recommendations As a temporary workaround, restrict access to the Query() function in the SysUserController.java file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.