Low severity3.5NVD Advisory· Published Apr 21, 2026· Updated Apr 29, 2026

CVE-2026-6743

Description

A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in WebTOTUM 2026 Calendar component allows remote attackers to inject arbitrary web scripts.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the Calendar component of WebSystems WebTOTUM 2026. The exact manipulation path is not fully disclosed, but the issue allows an attacker to inject malicious scripts through the affected function. The vendor has confirmed the vulnerability and released a patched version [1].

Exploitation

Exploitation requires no special authentication or network position, as the attack may be initiated remotely. The vulnerability has been publicly disclosed, meaning proof-of-concept code is available, lowering the barrier for attackers. Successful exploitation depends on persuading a user to access the crafted calendar content, typically via a link or by viewing the compromised calendar entry.

Impact

An attacker who achieves XSS can execute arbitrary JavaScript in the context of the victim's browser session. This can lead to data theft, session hijacking, or defacement within the WebTOTUM application. The CVSS v3.1 score of 3.5 (Low) reflects the need for user interaction and the limited impact on availability, but confidentiality and integrity are partially affected.

Mitigation

The vendor responded professionally and quickly provided a fixed version of WebTOTUM. Users and administrators are strongly advised to upgrade the affected component as recommended in the official advisory [1]. No workarounds beyond applying the update have been described.

References

WebTOTUM | Gestionale online in cloud personalizzabile a Imperia

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WebSystems/WebTOTUMllm-create
Range: = 2026

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6743

Credits

AI
Andrea Intilangelo
finder
A(
acme (VulDB User)
reporter
A(
acme (VulDB User)
analyst
VC
VulDB CNA Team
coordinator