CVE-2026-10203 OFCMS CVE debrief

Who should care

Organizations running OFCMS 1.1.3 with exposed administrative interfaces; security teams monitoring for SQL injection in Java-based content management systems; defenders tracking unpatched vulnerabilities with public exploit availability

Technical summary

The vulnerability resides in the Query method of SystemParamController.java within the ofcms-admin module of OFCMS 1.1.3. The JSON Query Interface component fails to properly neutralize special elements in SQL queries, allowing injection of malicious SQL statements. Remote exploitation is possible, though the CVSS 4.0 scoring indicates required privileges limit the base severity. The attack surface is the administrative controller's query endpoint. No vendor patch is available as of disclosure.

Defensive priority

moderate

Recommended defensive actions

• Review and restrict network access to OFCMS administrative interfaces, particularly the JSON Query Interface in SystemParamController.java
• Implement parameterized queries or prepared statements in the Query function to neutralize SQL injection vectors
• Apply input validation and sanitization for all user-supplied data processed by the JSON Query Interface
• Monitor for unauthorized database query patterns or anomalous access to SystemParamController endpoints
• Consider Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the affected component
• Track the Gitee issue tracker for vendor response or patch availability
• If exploitation is confirmed, review database access logs for unauthorized data access or modification

Evidence notes

Vulnerability identified in OFCMS 1.1.3 SystemParamController.java Query function. Gitee issue IJLIYP represents pre-disclosure vendor notification. VulDB entries provide additional analytical context. CVSS 4.0 vector indicates network-accessible attack with required privileges, contributing to low base score despite exploit availability.

Official resources