CVE Catalog

CVE-2026-36748

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

XSS vulnerability in RockRMS versions up to 16.13 and before 17.7.0, present in social media links in user profiles. An attacker can inject malicious script that executes in the victim's browser.

Risk Assessment

Risk of session theft, account takeover, or unauthorized actions within RockRMS. This could lead to data leakage or system integrity compromise.

Recommendation

Immediately upgrade RockRMS to version 17.7.0 or later, which includes a fix for the XSS vulnerability. Also train administrators on secure configuration of social media link fields.

Original NVD description (English source)

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS