Cyber Posture

CVE-2026-26723

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0011 28.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates the function parameter input to reject or sanitize malicious scripts, directly preventing XSS exploitation in the Global Facilities Management Software.

SI-15 Information Output Filtering good match
prevent

Filters and encodes information output to web pages, blocking execution of injected scripts in victims' browsers and addressing the reflected XSS via function parameter.

SI-2 Flaw Remediation good match
preventrecover

Identifies, prioritizes, and remediates the specific XSS flaw in version 20230721a through patching or updates, eliminating the vulnerability at its root.

Security SummaryAI

CVE-2026-26723 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in Key Systems Inc Global Facilities Management Software version 20230721a. Published on 2026-02-20, it enables a remote attacker to execute arbitrary code through the function parameter. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, high confidentiality impact, low integrity impact, and no availability impact.

A remote attacker can exploit this vulnerability without authentication by crafting malicious input targeting the function parameter, typically delivered via a phishing link or malicious webpage that requires user interaction, such as clicking or viewing content. Successful exploitation executes arbitrary code in the victim's browser context, potentially leading to theft of sensitive session data, cookies, or other confidential information hosted by the application, as reflected in the high confidentiality impact and scope change.

The primary reference for this vulnerability is a GitHub repository containing vulnerability disclosures at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723, which may provide additional details on exploitation or remediation steps.

Details

CWE(s)
CWE-79

Affected Products

keystorage
global facilities management software
20230721a

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

XSS vulnerability in public-facing software enables remote exploitation without authentication (T1190) and allows arbitrary code execution in browser context to steal session cookies and sensitive data (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References