CVE-2026-31845
Published: 11 April 2026
Summary
CVE-2026-31845 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Rukovoditel CRM (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering information output prior to transmission or display, directly preventing the reflection of unsanitized 'zd_echo' input as executable JavaScript in the HTTP response.
SI-10 mandates information input validation at defined points, addressing the lack of validation on the 'zd_echo' GET parameter to block malicious JavaScript payloads.
SI-2 ensures timely identification, reporting, and correction of system flaws like the vulnerable code in /api/tel/zadarma.php, enabling patching to version 3.7 with input validation and output encoding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing endpoint directly enables T1190 exploitation via crafted URL; facilitates T1059.007 JavaScript execution in browser and T1566.002 via malicious links for session hijacking/account takeover.
NVD Description
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output…
more
encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.
Deeper analysisAI
CVE-2026-31845 is a reflected cross-site scripting (XSS) vulnerability in Rukovoditel CRM version 3.6.4 and earlier. It affects the Zadarma telephony API endpoint at /api/tel/zadarma.php, where the application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code snippet is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']).
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The vulnerability has a CVSS score of 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79.
The issue is fixed in Rukovoditel CRM version 3.7, which introduces proper input validation and output encoding to prevent script injection. Additional details are provided in the forum advisory at https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499.
Details
- CWE(s)