CVE-2026-5790

Vulnerability

Details

CVE-2026-5790 is a stored Cross-Site Scripting (XSS) vulnerability in Stel Order versions 3.25.1 and earlier. The flaw resides in the /app/FrontController endpoint, where the legalName and employeeID parameters are not properly sanitized before being stored in the database [1]. This allows an attacker to inject arbitrary JavaScript code that persists on the platform.

Exploitation

An unauthenticated attacker can inject malicious payloads through the vulnerable parameters, as no authentication is required to submit data to the endpoint (CVSS v4.0 PR:N) [1]. The injected script is stored and later executed when any user, including administrators, accesses the affected sections of the application. User interaction is required for the script to execute (UI:A), meaning the victim must navigate to the page containing the stored payload.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, allowing account hijacking and unauthorized access to sensitive data [1]. The stored nature of the XSS increases the potential reach, as every subsequent visitor to the affected page becomes a target.

Mitigation

As of the advisory publication date, no official patch or workaround has been released by the vendor [1]. Organizations using Stel Order are advised to apply input validation and output encoding as a temporary measure, and monitor for vendor updates.