PatchSiren cyber security CVE debrief

CVE-2026-31845 Rukovoditel CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier, specifically within the Zadarma telephony API endpoint at /api/tel/zadarma.php. The vulnerability stems from direct reflection of user-supplied input from the 'zd_echo' GET parameter into HTTP responses without sanitization, output encoding, or content-type restrictions. The vulnerable code pattern directly outputs the parameter value via exit($_GET['zd_echo']). This allows unauthenticated attackers to craft malicious URLs containing JavaScript payloads that execute in victims' browsers when visited, potentially enabling session hijacking, credential theft, phishing, or account takeover. The issue was resolved in version 3.7 through implementation of proper input validation and output encoding.

Vendor: Rukovoditel
Product: Rukovoditel CRM
CVSS: CRITICAL 9.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-11
Original CVE updated: 2026-05-19
Advisory published: 2026-04-11
Advisory updated: 2026-05-19

Who should care

Organizations operating Rukovoditel CRM instances version 3.6.4 or earlier, particularly those with Zadarma telephony integration enabled. Security teams responsible for web application security, CRM administrators, and developers maintaining Rukovoditel deployments should prioritize patching.

Technical summary

The vulnerability exists in /api/tel/zadarma.php where the zd_echo GET parameter is directly reflected via exit($_GET['zd_echo']) without output encoding. This classic reflected XSS pattern allows attacker-controlled JavaScript execution in the security context of the application. The endpoint appears designed for Zadarma telephony service integration echo/verification functionality. Attack vectors include malicious links distributed via email, social media, or embedded in compromised sites. Successful exploitation requires victim interaction (clicking crafted URL) but grants attacker capabilities limited by same-origin policy of the target application domain.

Defensive priority

critical

Recommended defensive actions

Upgrade Rukovoditel CRM to version 3.7 or later to obtain the security fix implementing proper input validation and output encoding
If immediate patching is not feasible, implement Web Application Firewall (WAF) rules to block requests containing suspicious patterns in the zd_echo parameter
Review access logs for /api/tel/zadarma.php for anomalous requests containing script tags, event handlers, or encoded JavaScript payloads
Implement Content Security Policy (CSP) headers to mitigate impact of any XSS vulnerabilities
Conduct security review of similar API endpoints that may reflect user input directly in responses

Evidence notes

Vulnerability confirmed in Rukovoditel CRM ≤3.6.4 via direct code analysis of zadarma.php endpoint. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, with high impacts to confidentiality, integrity, and availability of victim resources. Fix confirmed in version 3.7.

Official resources

CVE-2026-31845 CVE record
CVE.org
CVE-2026-31845 NVD detail
NVD
Source item URL
nvd_modified
Source reference
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

2026-04-11T19:16:28.537Z