Stored Cross-Site Scripting (XSS) vulnerability in Stel Order_CVE-2026-5790

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.

Basic Information

ID CVE-2026-5790

Source INCIBE

Published May 14, 2026 at 12:30

Modified May 14, 2026 at 13:47

Affected Product

Vendor Stel Order

Product Stel Order

Affected Versions Stel Order Stel Order 0

CWE Classification

CWE-79

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order

{
    "lastseen": "",
    "description": "Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the \u2018/app/FrontController\u2019 endpoint via the \u2018legalName\u2019 and \u2018employeeID\u2019 parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.",
    "published": "2026-05-14T12:30:32.023Z",
    "modified": "2026-05-14T13:47:51.077Z",
    "type": "cve",
    "title": "Stored Cross-Site Scripting (XSS) vulnerability in Stel Order",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order",
    "id": "CVE-2026-5790",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Stel Order Stel Order 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Stel Order",
    "version": "0",
    "vendor": "Stel Order",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}