Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.
This issue was fixed in version 1.3.4.
AnalysisAI
DOM-based cross-site scripting in LEX Baza Dokumentów through version 1.3.3 allows attackers to execute arbitrary JavaScript in victim browsers via unsafe processing of the 'em' cookie parameter on the client side. Exploitation requires local access and user interaction, and the attacker must have the ability to set a cookie, significantly limiting real-world attack surface. The vendor has released patch version 1.3.4 to address this vulnerability.
Technical ContextAI
This is a DOM-based XSS vulnerability (CWE-79) affecting Wolters Kluwer Polska's LEX Baza Dokumentów application. The vulnerability resides in client-side JavaScript code that processes the 'em' cookie parameter without proper sanitization or encoding before rendering it into the DOM. Unlike reflected or stored XSS, DOM-based XSS occurs entirely within the browser-the vulnerable code reads from a client-controlled source (the cookie) and writes it to a dangerous sink (DOM manipulation) without validation. The attack vector is local (AV:L per CVSS 4.0), meaning an attacker must have some form of local access to set the cookie, which could be on a shared workstation or via a previous compromise. The user interaction requirement (UI:A) further constrains exploitation-the victim must actively perform an action that triggers the vulnerable code path.
RemediationAI
Upgrade LEX Baza Dokumentów to version 1.3.4 or later, which contains the vendor-released patch. The primary mitigation is simply applying this update. If immediate patching is not feasible, restrict access to LEX Baza Dokumentów to trusted users only, and implement cookie security policies such as HttpOnly and Secure flags (if not already in place) to reduce the attack surface for cookie manipulation. However, these are compensating controls with trade-offs: HttpOnly prevents legitimate client-side JavaScript from reading the cookie, potentially breaking intended functionality, and Secure flags only apply to HTTPS connections. A more direct compensating control would be to disable or restrict cookie-based authentication/session mechanisms if operationally viable, though this may degrade user experience. For shared workstation environments, consider implementing endpoint security controls to prevent unauthorized local code execution that could lead to cookie manipulation. Given the low EPSS and lack of active exploitation, patching can be scheduled as part of routine maintenance rather than emergency response.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26366