CVE-2026-31845: Rukovoditel CRM XSS
CVE-2026-31845
Critical XSS in Rukovoditel CRM 3.6.4 and earlier lets attackers hijack sessions and steal credentials via unsanitized API input. Upgrade to version 3.7.
Patch now - CVE-2026-31845 is a critical reflected XSS in Rukovoditel CRM 3.6.4 and earlier that lets an unauthenticated attacker execute arbitrary JavaScript in authenticated browser sessions, enabling session hijacking and credential theft. Upgrade to version 3.7 immediately.
Overview
A critical reflected cross-site scripting (XSS) vulnerability, CVE-2026-31845, affects Rukovoditel CRM versions 3.6.4 and earlier. The flaw resides in the Zadarma telephony API endpoint (/api/tel/zadarma.php), where user input is directly reflected in the HTTP response without sanitization.
Vulnerability Details
The vulnerable code simply echoes unsanitized user input from the zd_echo GET parameter:
if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);This allows an unauthenticated attacker to craft a malicious URL containing JavaScript payloads. When an authenticated user visits the crafted link, the embedded script executes in their browser session within the context of the Rukovoditel application.
Impact
Successful exploitation could lead to session hijacking, theft of administrator or user credentials, phishing attacks within the application, or complete account takeover. The high CVSS score of 9.3 stems from the network-based attack vector, low attack complexity, and no required privileges, though user interaction (clicking a link) is needed.
Remediation
The vendor has addressed this vulnerability in Rukovoditel CRM version 3.7. Affected users must upgrade to this version immediately. The fix implements proper input validation and output encoding to neutralize malicious scripts.
If immediate upgrade is not possible, consider implementing a web application firewall (WAF) with rules to block XSS payloads targeting the /api/tel/zadarma.php endpoint. However, upgrading is the only complete solution.
Security Insight
This vulnerability highlights a persistent class of flaw in web applications: the improper handling of user-supplied data in API endpoints often considered “internal.” Similar to past incidents in other CRMs, this shows how auxiliary features like telephony integration can introduce critical risks if security practices are not uniformly applied. It underscores the necessity of systematic input validation across all application entry points, not just the primary user interface. For the latest on data exposures, review breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a ...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execu...