PT-2026-40912 · Unknown · Stel Order

Published

2026-05-14

Updated

2026-05-14

CVE-2026-5790

CVSS v4.0

5.1

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Stel Order versions prior to 3.25.2

Description Stored Cross-Site Scripting (XSS) occurs at the '/app/FrontController' endpoint through the legalName and employeeID parameters. Insufficient input sanitization allows an attacker to inject malicious code that is persistently stored in the database. This code executes in the browsers of users or administrators accessing the affected sections, potentially leading to session cookie theft and account hijacking.

Recommendations Update to a version newer than 3.25.1. As a temporary workaround, restrict access to the '/app/FrontController' endpoint or avoid using the legalName and employeeID parameters until a patch is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-5790

Affected Products

Stel Order

PT-2026-40912 · Unknown · Stel Order

CVE-2026-5790

Weakness Enumeration

Related Identifiers

Affected Products

References · 3