Skip to main content

WebControl CMS CVE-2026-6954

| EUVDEUVD-2026-40271 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 INCIBE GHSA-865c-wrhg-fwg8
5.1
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requires user interaction (UI:R), changes scope to victim's browser (S:C), enabling cookie theft (C:L) and unauthorized actions (I:L), with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 10:20 vuln.today

DescriptionCVE.org

Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.

AnalysisAI

Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious 'urlDestino' URL
Delivery
Deliver link to authenticated victim via phishing
Exploit
Victim clicks link, browser loads /portal.do
Execution
Reflected XSS payload executes in victim's browser
Persist
Steal session cookie or inject phishing UI
Impact
Attacker hijacks victim session

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively click a specially crafted URL containing the malicious 'urlDestino' parameter value directed at the '/portal.do' endpoint - this is an active user interaction requirement (UI:A per the CVSS 4.0 vector), not a passive page-load trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) reflects a nuanced risk profile: while network-accessible with no authentication required and low complexity (AV:N/AC:L/PR:N), exploitation requires user interaction (UI:A - active click), and the impact is confined to subsequent-system integrity (SI:L), with no confidentiality or availability impact on either the vulnerable or subsequent system per the vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting the WebControl CMS portal endpoint with a malicious payload embedded in the 'urlDestino' parameter - for example, appending a script tag or iframe injection string - and delivers it to a target user via phishing email, social media, or a compromised website link. The victim, who holds an active authenticated session in the CMS, clicks the link and their browser executes the injected JavaScript, which exfiltrates the session cookie to an attacker-controlled server. …
Remediation Upgrade to a patched version of WebControl CMS as directed by the vendor Intermark IT and the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-intermark-its-webcontrol-cms. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy