CVE-2026-10202 OFCMS CVE debrief

Who should care

Organizations running OFCMS 1.1.3 instances with exposed administrative interfaces; security teams monitoring for SQL injection in Java-based CMS platforms; developers maintaining OFCMS forks or deployments

Technical summary

The vulnerability resides in the Query method of SystemDictController.java within OFCMS 1.1.3's administrative module. Insufficient input sanitization in the JSON Query Interface permits SQL injection, enabling remote attackers with low privileges to manipulate backend database queries. The attack requires network access but no user interaction. Public exploit availability increases practical risk despite the LOW CVSS base score. The project was notified through a Gitee issue report prior to CVE publication without confirmed response.

Defensive priority

moderate

Recommended defensive actions

• Review and restrict access to the OFCMS JSON Query Interface, particularly the /ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SystemDictController.java Query function
• Implement parameterized queries or prepared statements to replace dynamic SQL construction in the affected component
• Apply input validation and sanitization for all user-supplied data processed by the JSON Query Interface
• Monitor for unauthorized database query patterns or unexpected table access attempts
• Contact OFCMS project maintainers via available channels to verify patch status and coordinate remediation
• Consider network segmentation or WAF rules to limit exposure of administrative interfaces if immediate patching is not available

Evidence notes

Vulnerability description sourced from NVD entry with VulDB as CNA. Affected file path and function name derived from official CVE description. Vendor contact attempt documented via Gitee issue reference. CVSS 4.0 vector and score from NVD metadata. No patch or vendor response confirmed at time of disclosure.

Official resources