Reflected XSS Vulnerability in Rukovoditel CRM Affected by Zadarma API
CVE-2026-31845

9.3CRITICAL

Key Information:

Vendor: Rukovoditel
Status: Rukovoditel Crm
Vendor: CVE Published:; 11 April 2026

🔔 Create Rukovoditel Vulnerability Alert

What is CVE-2026-31845?

A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM versions up to 3.6.4, specifically in the Zadarma telephony API endpoint. This flaw allows attackers to inject malicious JavaScript through the 'zd_echo' GET parameter, leading to potential session hijacking, credential theft, and account takeover when victims unknowingly execute the crafted URL. Version 3.7 addresses this vulnerability by implementing proper input validation and output encoding to mitigate script injection risks.

Affected Version(s)

Rukovoditel CRM 3.6.4

Rukovoditel CRM 3.7

References

https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 9, 2026

Credit

Shukrullo Raximov (Mothra)

CVE-2026-31845 Data

JSON