What is the CVSS score of CVE-2026-26724?

CVE-2026-26724 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-26724?

Yes, a public proof-of-concept exploit is available for CVE-2026-26724. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-26724?

Within 24 hours: Inventory all instances of Global Facilities Management Software and identify version numbers; restrict network access to the application to trusted internal networks only. Within 7 days: Implement WAF rules to block XSS payloads; disable any non-critical user-facing features that accept user input; enforce mandatory password resets for all users with administrative or sensitive access. Within 30 days: Monitor vendor advisories for patch availability; conduct security assessment of alternative facilities management solutions; develop migration plan if patch is not released within 60 days.

Global Facilities Management Software CVE-2026-26724

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-20 cve@mitre.org

XSS Global Facilities Management Software

7.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.6 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 26, 2026 - 23:16 vuln.today

Public exploit code

CVE Published

Feb 20, 2026 - 17:25 nvd

HIGH 7.6

DescriptionCVE.org

Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.

AnalysisAI

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 7.6).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Global Facilities Management Software

Exploit

Craft malicious XSS payload in selectgroup/gn parameters

Execution

Submit to /?Function=Groups endpoint

Impact

Execute arbitrary code in victim browser context