CVE-2026-30082

The Software Package List page in IngEstate Server v11.14.0 contains multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature [2]. The root cause is insufficient sanitization of user input in the 'About application', 'What's news', and 'Release note' parameters when accessed via the API endpoint PUT /emgui/rest/appDatasheet//?full=true [2]. This allows an attacker to inject arbitrary HTML and JavaScript payloads that are persisted on the server.

To exploit this, an authenticated attacker must first navigate to the Software Package List page through the dashboard and use the Edit feature [2]. The injected payload is stored and will automatically execute in the browsers of any other user who subsequently views the compromised Software Package information [2]. No additional user interaction is required beyond viewing the page.

Successful exploitation enables arbitrary JavaScript execution in the context of the victim's session [2]. Potential impacts include session hijacking, theft of credentials, and performing unauthorized actions on behalf of the authenticated victim [2]. The vulnerability affects all users who view the modified Software Package details.

Ingenico has not released a security advisory or patch as of the publication date [1][2]. Users should restrict access to the Software Package List edit functionality and sanitize all inputs in the affected parameters until an official fix is provided.