Skip to main content

LEX Baza Dokumentów CVE-2026-1493

| EUVDEUVD-2026-26366 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-30 CERT-PL
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Patch released
Apr 30, 2026 - 15:48 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 14:30 vuln.today
Patch available
Apr 30, 2026 - 13:01 EUVD
CVSS changed
Apr 30, 2026 - 12:22 NVD
4.6 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 12:00 euvd
EUVD-2026-26366
Analysis Generated
Apr 30, 2026 - 12:00 vuln.today
CVE Published
Apr 30, 2026 - 11:24 nvd
MEDIUM 4.6

DescriptionCVE.org

LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.

This issue was fixed in version 1.3.4.

AnalysisAI

DOM-based cross-site scripting in LEX Baza Dokumentów through version 1.3.3 allows attackers to execute arbitrary JavaScript in victim browsers via unsafe processing of the 'em' cookie parameter on the client side. Exploitation requires local access and user interaction, and the attacker must have the ability to set a cookie, significantly limiting real-world attack surface. The vendor has released patch version 1.3.4 to address this vulnerability.

Technical ContextAI

This is a DOM-based XSS vulnerability (CWE-79) affecting Wolters Kluwer Polska's LEX Baza Dokumentów application. The vulnerability resides in client-side JavaScript code that processes the 'em' cookie parameter without proper sanitization or encoding before rendering it into the DOM. Unlike reflected or stored XSS, DOM-based XSS occurs entirely within the browser-the vulnerable code reads from a client-controlled source (the cookie) and writes it to a dangerous sink (DOM manipulation) without validation. The attack vector is local (AV:L per CVSS 4.0), meaning an attacker must have some form of local access to set the cookie, which could be on a shared workstation or via a previous compromise. The user interaction requirement (UI:A) further constrains exploitation-the victim must actively perform an action that triggers the vulnerable code path.

RemediationAI

Upgrade LEX Baza Dokumentów to version 1.3.4 or later, which contains the vendor-released patch. The primary mitigation is simply applying this update. If immediate patching is not feasible, restrict access to LEX Baza Dokumentów to trusted users only, and implement cookie security policies such as HttpOnly and Secure flags (if not already in place) to reduce the attack surface for cookie manipulation. However, these are compensating controls with trade-offs: HttpOnly prevents legitimate client-side JavaScript from reading the cookie, potentially breaking intended functionality, and Secure flags only apply to HTTPS connections. A more direct compensating control would be to disable or restrict cookie-based authentication/session mechanisms if operationally viable, though this may degrade user experience. For shared workstation environments, consider implementing endpoint security controls to prevent unauthorized local code execution that could lead to cookie manipulation. Given the low EPSS and lack of active exploitation, patching can be scheduled as part of routine maintenance rather than emergency response.

Share

CVE-2026-1493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy