CVE-2026-31845: Rukovoditel CRM XSS
CVE-2026-31845
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects...
Overview
A critical reflected cross-site scripting (XSS) vulnerability, CVE-2026-31845, affects Rukovoditel CRM versions 3.6.4 and earlier. The flaw resides in the Zadarma telephony API endpoint (/api/tel/zadarma.php), where user input is directly reflected in the HTTP response without sanitization.
Vulnerability Details
The vulnerable code simply echoes unsanitized user input from the zd_echo GET parameter:
if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);This allows an unauthenticated attacker to craft a malicious URL containing JavaScript payloads. When an authenticated user visits the crafted link, the embedded script executes in their browser session within the context of the Rukovoditel application.
Impact
Successful exploitation could lead to session hijacking, theft of administrator or user credentials, phishing attacks within the application, or complete account takeover. The high CVSS score of 9.3 stems from the network-based attack vector, low attack complexity, and no required privileges, though user interaction (clicking a link) is needed.
Remediation
The vendor has addressed this vulnerability in Rukovoditel CRM version 3.7. Affected users must upgrade to this version immediately. The fix implements proper input validation and output encoding to neutralize malicious scripts.
If immediate upgrade is not possible, consider implementing a web application firewall (WAF) with rules to block XSS payloads targeting the /api/tel/zadarma.php endpoint. However, upgrading is the only complete solution.
Security Insight
This vulnerability highlights a persistent class of flaw in web applications: the improper handling of user-supplied data in API endpoints often considered “internal.” Similar to past incidents in other CRMs, this shows how auxiliary features like telephony integration can introduce critical risks if security practices are not uniformly applied. It underscores the necessity of systematic input validation across all application entry points, not just the primary user interface. For the latest on data exposures, review breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execu...
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` fu...