IronMonkey Threat Research

CVE-2026-36748 CRITICAL

Published: 2026-06-03 | Last Modified: 2026-06-03 | Status: Received

Description

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

CVSS Metrics

Base Score: 9.0 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	REQUIRED
Scope	CHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Type: Secondary

Exploitability Score: 2.3

Impact Score: 6.0

Weaknesses

Source	Type	Description
134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	en CWE-79

References

http://sparkdevnetwork.com
Source: [email protected]
https://raxis.com/blog/cve-2026-36748-xss-in-rock-rms-leads-to-privilege-escalation/
Source: [email protected]
https://raxis.com/blog/cve-2026-36748-xss-in-rock-rms-leads-to-privilege-escalation/
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Message here