CVE-2026-1959

CVE-2026-1959 is a stored cross-site scripting (XSS) vulnerability in the Loggro Pymes web application, a business management platform. The flaw resides in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint, where the 'descripción' parameter fails to properly sanitize user input before storage. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed when the stored data is later rendered in a victim's browser [1].

Exploitation requires no authentication (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A) but does require user interaction—the victim must visit the affected page containing the malicious input. An attacker can craft a request to the vulnerable endpoint with a malicious payload in the 'descripción' field. Since the input is stored, any user who subsequently views the bank accounts page will trigger the script [1].

The impact is limited to the confidentiality and integrity of the session context (SC:L, SI:L). An attacker could perform actions on behalf of the victim, such as stealing session cookies, redirecting to phishing pages, or defacing the application interface. However, the CVSS vector indicates no impact to the vulnerable system itself (VC:N/VI:N/VA:N), meaning the attack is confined to the user's browser session [1].

The vulnerability has been addressed by Loggro Pymes in version 1.0.124. Users are advised to update to this version or later to mitigate the risk. No public exploit is known at the time of disclosure [1].