CVE-2026-22198

Name of the Vulnerable Software and Affected Versions GestSup versions up to and including 3.2.56

Description GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) issue in the API error logging functionality. An unauthenticated attacker can inject attacker-controlled HTML/JavaScript into log entries by sending a crafted API request with a malicious X-API-KEY header value to the /api/v1/ticket.php endpoint. When an administrator views the affected logs in the web interface, the injected content is rendered without proper output encoding, leading to arbitrary script execution in the administrator’s browser session.

Recommendations GestSup versions prior to 3.2.56 should be updated.