Description
Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerabilities allows an attacker execute JavaScript code in the victim's browser by sending a malicious URL in 'site' parameter in 'app_recuperarclave.php'.
Published: 2026-03-26
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (arbitrary JavaScript execution in the victim’s browser)
Action: Patch Now
AI Analysis

Impact

GDTaller contains a reflected Cross‑Site Scripting flaw that can be triggered through the 'site' parameter of the app_recuperarclave.php script. An attacker can send a specially crafted URL containing malicious JavaScript. When a user follows that link the script executes in the context of the victim’s browser, permitting actions such as cookie theft, session hijacking, or the injection of additional malicious content. The weakness aligns with CWE‑79 and is limited to the victim’s web session, not providing direct control over the server.

Affected Systems

The vulnerability affects the GDTaller application distributed by GDTaller. Specific affected version information is not supplied in the CVE record, so any deployment using a version prior to the vendor’s patch is likely vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is below 1 %, suggesting that exploitation attempts are currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploitation has been reported. Exploitation requires the target user to click a malicious link; thus, typical risk depends on user interaction and the visibility of the crafted URLs.

Generated by OpenCVE AI on March 27, 2026 at 19:26 UTC.

Remediation

Vendor Solution

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-gdtaller

OpenCVE Recommended Actions

  • Apply the official GDTaller patch or upgrade to the latest version as indicated in the vendor advisory.
  • If an immediate patch is not available, sanitize or whitelist the input for the 'site' parameter to block embedded scripts.

Generated by OpenCVE AI on March 27, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gdtaller:gdtaller:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description Reflected Cross Site Scripting (XSS) vulnerabilities in GDTaller. These vulnerabilities allows an attacker execute JavaScript code in the victim's browser by sending a malicious URL in 'site' parameter in 'app_recuperarclave.php'.
Title Multiple vulnerabilities in GDTaller
First Time appeared Gdtaller
Gdtaller gdtaller
Weaknesses CWE-79
CPEs cpe:2.3:a:gdtaller:gdtaller:*:*:*:*:*:*:*:*
Vendors & Products Gdtaller
Gdtaller gdtaller
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gdtaller Gdtaller
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-26T13:22:59.327Z

Reserved: 2025-04-16T09:09:26.929Z

Link: CVE-2025-41027

cve-icon Vulnrichment

Updated: 2026-03-26T13:22:55.890Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T13:16:25.103

Modified: 2026-03-27T18:28:38.227

Link: CVE-2025-41027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:14Z

Weaknesses