Platform
php
Component
rukovoditel
Fixed in
3.7
CVE-2026-31845 describes a critical reflected cross-site scripting (XSS) vulnerability found in Rukovoditel CRM versions 3.6.4 and earlier. This flaw allows an attacker to inject malicious JavaScript code into the application, potentially compromising user accounts and sensitive data. The vulnerability resides within the Zadarma telephony API endpoint and is fixed in version 3.7.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing JavaScript payloads. When a victim clicks on this link, the injected script executes within their browser context, with the same privileges as the user. This could lead to session hijacking, account takeover, defacement of the CRM interface, or the theft of sensitive information like login credentials, customer data, or financial details. The impact is particularly severe given the potential for widespread compromise within an organization using Rukovoditel CRM.
CVE-2026-31845 was publicly disclosed on 2026-04-11. No public proof-of-concept (POC) code has been published at the time of writing, but the simplicity of the vulnerability suggests that a POC is likely to emerge. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31845 is to immediately upgrade Rukovoditel CRM to version 3.7 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing the 'zdecho' parameter and block those containing suspicious JavaScript patterns. Input validation and output encoding should be implemented on the server-side to prevent future XSS vulnerabilities. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the 'zdecho' parameter and verifying that it is not executed.
Update to version 3.7 or later of Rukovoditel CRM. This version includes input validation and output encoding to prevent script injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31845 is a critical reflected XSS vulnerability in Rukovoditel CRM versions 3.6.4–3.7, allowing attackers to inject malicious JavaScript via the 'zd_echo' parameter in the Zadarma telephony API.
If you are using Rukovoditel CRM versions 3.6.4 or earlier, you are vulnerable to this XSS attack. Upgrade to version 3.7 to mitigate the risk.
The recommended fix is to upgrade Rukovoditel CRM to version 3.7 or later. As a temporary workaround, implement a WAF rule to filter requests containing the 'zd_echo' parameter.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. Monitor your systems closely.
Refer to the official Rukovoditel CRM security advisory for detailed information and updates regarding CVE-2026-31845.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.