Skip to main content

Wakyma Application Web CVE-2026-3024

| EUVDEUVD-2026-12397 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 INCIBE
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12397
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
Patch released
Mar 16, 2026 - 11:00 nvd
Patch available
CVE Published
Mar 16, 2026 - 10:13 nvd
MEDIUM 4.8

DescriptionCVE.org

Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey that would harm the entire veterinary team. At the same time, a user with low privileges could exploit this vulnerability to access unauthorized data and perform actions with elevated privileges.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic input validation and output encoding failure in web applications. The Wakyma application (a veterinary practice management platform) fails to properly sanitize or encode user-supplied input when processing form configuration data in the agenda module, specifically in the 'modelo-formulario-evento' (event form model) endpoint. When an authenticated user creates or modifies a survey or event form, malicious JavaScript payload embedded in form fields is stored in the backend database without sanitization. Upon retrieval and rendering, this payload executes in the context of other users' sessions without Content Security Policy (CSP) protection or output encoding. The affected product is Wakyma (specific CPE string not publicly disclosed in standard vulnerability databases, but the endpoint suggests a web-based SaaS application), and the vulnerability can be triggered through ordinary HTTP POST/PUT requests to the configuration endpoint, requiring only Low privilege level (any authenticated user) and User Interaction (victims must view the malicious form).

RemediationAI

Contact Wakyma support immediately to obtain and deploy the latest patched version of the application; patches should address input validation in the event form configuration endpoint by implementing proper HTML entity encoding or using a proven XSS-prevention library (e.g., DOMPurify or similar on the client side, and server-side output encoding using established frameworks). As an interim mitigation while awaiting a patch, restrict access to the 'configuracion/agenda/modelo-formulario-evento' endpoint to veterinarians and authorized administrators only, using role-based access control (RBAC) to prevent low-privileged users from creating or modifying event forms. Additionally, implement a Web Application Firewall (WAF) rule set to detect and block common XSS payloads in form submissions to the vulnerable endpoint, and enable Content Security Policy (CSP) headers with strict script-src policies (e.g., script-src 'self') to prevent inline script execution as a defense-in-depth measure. Monitor application logs for suspicious form modifications or script-like content in form field values. Once the vendor releases a patch, apply it immediately to all instances of the Wakyma application.

Share

CVE-2026-3024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy