Skip to main content

Stel Order CVE-2026-5790

| EUVDEUVD-2026-30268 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 INCIBE GHSA-vjqx-vf5x-gc8m
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 15:30 vuln.today
CVSS changed
May 14, 2026 - 13:22 NVD
5.1 (MEDIUM)
CVE Published
May 14, 2026 - 12:30 nvd
MEDIUM 5.1
CVE Published
May 14, 2026 - 12:30 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.

AnalysisAI

Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.

Technical ContextAI

The vulnerability resides in the FrontController endpoint of Stel Order, a web application handling order management. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from insufficient input validation and sanitization of user-supplied data in the 'legalName' and 'employeeID' parameters before storage in the backend database. Unlike reflected XSS, stored XSS persists in the database, meaning the malicious payload executes every time an authenticated user or administrator retrieves and renders that data in their browser context. The attack vector (AV:N/AC:L) indicates this is a network-accessible vulnerability with low complexity, and the requirement for user interaction (UI:A) means the victim must visit a page containing the stored payload for exploitation to succeed.

RemediationAI

Upgrade Stel Order to a version released after v3.25.1 that includes XSS input sanitization. If an exact patched version number is not yet available from the vendor, contact Stel Order support via INCIBE's advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order) for patch delivery timeline. Interim compensating controls: (1) Implement Content Security Policy (CSP) headers (e.g., 'default-src self; script-src self') on all Stel Order application pages to prevent inline script execution-trade-off: may break legitimate third-party integrations relying on inline scripts; (2) Apply Web Application Firewall (WAF) rules to block input containing script tags, event handlers (onclick, onerror), and HTML entity sequences in FrontController parameters; trade-off: legitimate users cannot paste text with angle brackets or quote characters; (3) Restrict access to the FrontController endpoint to authenticated users only via network access controls or reverse proxy authentication, reducing the PR:N exposure; trade-off: may break API integrations or public-facing features. Prioritize vendor patching over WAF rules due to the complexity of blacklist-based XSS prevention.

Share

CVE-2026-5790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy