How is CVE-2026-36748 exploited?

Network reachability (required): The attacker must be able to reach the RockRMS service over the network to submit a malicious Social Media link payload. Authentication (required): A low-privilege authenticated account is sufficient; the attacker must be able to edit their own user profile to inject the payload. Victim interaction (required): A victim must view or otherwise trigger the rendering of the attacker's profile page containing the malicious Social Media link for the payload to execute. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations beyond the attacker having an account and a victim viewing the profile.

What is the impact of CVE-2026-36748?

Reads session tokens, cookies, and any sensitive data visible in the victim's authenticated browser session. Performs arbitrary actions within the application on behalf of the victim, such as modifying account settings or submitting forms. Exfiltrates data rendered in the victim's browser context, including personal or organizational records surfaced by the application. Injects persistent malicious content into the application interface that executes each time any user views the compromised profile.

Back to search

CRITICALCVE-2026-36748Published 2026-06-03Modified 2026-06-03CNA mitre

CVE-2026-36748: RockRMS v16

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

CVSS v3.1: 9.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stored cross-site scripting (XSS) vulnerability affects RockRMS versions 16.13 and earlier, as well as versions before 17.7.0. The vulnerability is reachable over the network, requires a low-privilege account to inject a malicious payload via a Social Media link in a user profile, and requires a victim to view or interact with the affected profile. Successful exploitation gives an attacker full control over the victim's browser session in the context of the application, enabling data theft, content modification, and arbitrary actions performed as the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-36748 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle RockRMS.

Available

Triage

Triage is available with a CVSS score of 9.0 (Critical, v3.1), which HarborGuard surfaces alongside each customer organization's compliance policy weighting to prioritize the finding appropriately. Routed alerts reach the correct team inbox based on per-environment ownership rules configured by each organization.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the RockRMS service over the network to submit a malicious Social Media link payload.
AuthenticationRequired
A low-privilege authenticated account is sufficient; the attacker must be able to edit their own user profile to inject the payload.
Victim interactionRequired
A victim must view or otherwise trigger the rendering of the attacker's profile page containing the malicious Social Media link for the payload to execute.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations beyond the attacker having an account and a victim viewing the profile.

Blast Radius

Reads session tokens, cookies, and any sensitive data visible in the victim's authenticated browser session.
Performs arbitrary actions within the application on behalf of the victim, such as modifying account settings or submitting forms.
Exfiltrates data rendered in the victim's browser context, including personal or organizational records surfaced by the application.
Injects persistent malicious content into the application interface that executes each time any user views the compromised profile.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36748 is active across all environments scanning images that include RockRMS, with the finding scored at CVSS 9.0 Critical and routed per each organization's compliance policy. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, compensating controls worth considering include network-policy rules that restrict which internal users can access profile-viewing surfaces, content security policy (CSP) header enforcement at the ingress or reverse-proxy layer to limit script execution, and feature-flag gating on Social Media link display if the application supports it. For customers with auto-remediation enabled, the patched rebuild, regression test run, and PR against affected workloads will trigger without manual steps once upstream ships the fix.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified