CVE-2026-5790

Vulnerability Description

Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.

Related Weaknesses (CWE)

CWE-79

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel

FAQ

What is CVE-2026-5790?

CVE-2026-5790 is a documented vulnerability. Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitizati...

How severe is CVE-2026-5790?

CVSS scoring is not yet available for CVE-2026-5790. Check NVD for updates.

Is there a patch for CVE-2026-5790?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.