Description
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-01-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Client‑Side Code Execution (Reflected XSS via TicketID)
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the LigeroSmart application within a function of the "/otrs/index.pl" file. Manipulation of the TicketID argument allows an attacker to inject arbitrary HTML or JavaScript. The injected script will execute in the victim’s browser under the context of their session; however, the description does not explicitly state the consequences, so any potential for session hijacking, defacement, or other client‑side exploitation is inferred based on standard XSS behaviors.

Affected Systems

As of the current information, all installations of LigeroSmart up to and including version 6.1.26 are vulnerable. The flaw is not tied to a specific deployment configuration, so any web server hosting the application and exposing the /otrs/index.pl endpoint is at risk.

Risk and Exploitability

The CVSS score of 5.1 categorizes this as moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild at present. LigeroSmart is not listed in CISA KEV. The vulnerability can be exploited remotely by delivering a crafted URL containing a malicious TicketID value; no privileged local access is required. As no official patch has been issued yet, administrators should monitor the vendor’s website or support channels for an update, consider applying a temporary workaround by sanitizing the TicketID parameter, and optionally limit exposure through web‑application firewall rules.

Generated by OpenCVE AI on April 18, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LigeroSmart to a released version that resolves the TicketID handling flaw in "/otrs/index.pl".
  • If no update is available, patch the existing installation by modifying "/otrs/index.pl" to sanitize or validate the TicketID parameter before rendering it.
  • Check the LigeroSmart vendor website or support forums for any new patch release and apply it promptly.
  • Restrict access to the TicketID parameter or the /otrs/index.pl endpoint using web‑application firewall rules or by disabling unnecessary functionality exposed through the URL.

Generated by OpenCVE AI on April 18, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ligerosmart
Ligerosmart ligerosmart
Vendors & Products Ligerosmart
Ligerosmart ligerosmart

Sat, 17 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title LigeroSmart index.pl cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ligerosmart Ligerosmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-26T15:56:50.721Z

Reserved: 2026-01-16T16:38:48.292Z

Link: CVE-2026-1049

cve-icon Vulnrichment

Updated: 2026-01-20T21:34:30.637Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-17T18:15:48.717

Modified: 2026-02-27T03:51:36.257

Link: CVE-2026-1049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses