Is there a public PoC exploit available for CVE-2026-6743?

Yes, a public proof-of-concept exploit is available for CVE-2026-6743. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-6743?

Yes, a patch is available for CVE-2026-6743. Update the affected software to the latest version immediately.

WebSystems WebTOTUM CVE-2026-6743

Q: What is the CVSS score of CVE-2026-6743?

CVE-2026-6743 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-24201 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-21 VulDB

XSS Webtotum

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 21, 2026 - 17:38 vuln.today

Severity Changed

Apr 21, 2026 - 17:22 NVD

LOW MEDIUM

CVSS changed

Apr 21, 2026 - 17:22 NVD

3.5 (LOW) 5.1 (MEDIUM)

EUVD ID Assigned

Apr 21, 2026 - 17:00 euvd

EUVD-2026-24201

Analysis Generated

Apr 21, 2026 - 17:00 vuln.today

Patch released

Apr 21, 2026 - 17:00 nvd

Patch available

CVE Published

Apr 21, 2026 - 16:30 nvd

LOW 2.0

DescriptionCVE.org

A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Cross-site scripting (XSS) in WebSystems WebTOTUM 2026 Calendar component allows authenticated remote attackers to inject malicious scripts via an unknown function, requiring user interaction for exploitation. Publicly available exploit code exists, and vendor has released a patched version following responsible disclosure.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker obtains or compromises WebTOTUM account

Delivery

Crafts malicious URL targeting Calendar function

Exploit

Delivers link to victim via email/messaging

Execution

Victim clicks link while authenticated

Persist

XSS payload executes in victim's browser context

Impact

Attacker exfiltrates session tokens or injects credential harvester