EUVD-2026-21682
A pre-authenticated reflected cross-site scripting XSS vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint /api/tel/zadarma.php. The application directly reflects user-supplied input from the 'zdecho' GET parameter into the HTTP response without proper...