PatchSiren

Rukovoditel CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Rukovoditel CVE published 2026-04-11

CVE-2026-31845

A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier, specifically within the Zadarma telephony API endpoint at /api/tel/zadarma.php. The vulnerability stems from direct reflection of user-supplied input from the 'zd_echo' GET parameter into HTTP responses without sanitization, output encoding, or content-type restrictions. The vulnerable code pattern di [truncated]