CVE-2026-1960

Overview

Loggro Pymes versions prior to 1.0.124 contain a stored Cross-Site Scripting (XSS) vulnerability in the /loggrodemo/jbrain/ConsultaTerceros endpoint. The flaw exists in the 'Facebook' parameter, which fails to properly sanitize user-supplied input before storing it. This issue is classified under CWE-79 and carries a CVSS v4.0 base score of 5.1 [1].

Exploitation

To exploit this vulnerability, an attacker must be able to submit crafted payloads through the 'Facebook' parameter. The lack of input validation allows arbitrary HTML and JavaScript to be stored and later executed in the browser of any user visiting the affected page. No authentication is explicitly required by the advisory, but typical web application operations may require user interaction [1].

Impact

If successfully exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser session. This could lead to data theft, session hijacking, or defacement of the application interface. The scope of impact is limited to the client side, with low confidentiality and integrity impact as per the CVSS vector [1].

Mitigation

The vendor, Loggro Pymes, has addressed this vulnerability in version 1.0.124. All users are advised to update to this patched release to eliminate the XSS risk [1].