Description
Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the ‘comment’ and ‘brand’ parameters in ‘/index.php’. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Published: 2026-01-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that can lead to session hijacking and unauthorized actions
Action: Monitor
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in RLE NOVA’s PlanManager application. An attacker can inject malicious JavaScript through the ‘comment’ and ‘brand’ parameters in the /index.php endpoint; the payload is saved by the system and displayed to other users without proper sanitization. This flaw can be exploited to steal session cookies or to perform actions on victims, compromising authentication integrity.

Affected Systems

The affected product is RLE NOVA:PlanManager. The CVE data does not specify affected versions; the service at planmanager.es was taken offline in October 2025, eliminating the current exploitable surface, but any remaining deployments that remain online may still be affected.

Risk and Exploitability

The flaw carries a CVSS score of 6.9 and an EPSS score below 1 %, indicating a low but non‑zero exploitation likelihood, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is through the web interface’s input fields, typically requiring access to the web interface either via an authenticated user or by posting publicly accessible content. With the application offline, immediate risk is mitigated, but any online installations retain a moderate risk until input sanitization is applied or the service is shut down.

Generated by OpenCVE AI on April 18, 2026 at 19:49 UTC.

Remediation

Vendor Solution

The reported vulnerability is no longer exploitable, as the website planmanager.es was taken down in October 2025.

OpenCVE Recommended Actions

  • The official solution notes that the vulnerability is no longer exploitable because the PlanManager website was taken down in October 2025; therefore, simply ensuring the site remains offline removes the attack surface.
  • If the application is still deployed or could be re‑enabled, immediately terminate public access or bring the service offline to eliminate the vulnerability until a fix is applied.
  • Apply input validation or sanitization to the ‘comment’ and ‘brand’ parameters so that script tags or other executable content cannot be stored or rendered.
  • Deploy a web application firewall rule or enforce a Content Security Policy to block or neutralize XSS payloads that may reach users’ browsers.

Generated by OpenCVE AI on April 18, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Nova-a
Nova-a planmanager
CPEs cpe:2.3:a:nova-a:planmanager:-:*:*:*:*:*:*:*
Vendors & Products Nova-a
Nova-a planmanager
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 29 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the ‘comment’ and ‘brand’ parameters in ‘/index.php’. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Title Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager
First Time appeared Rle Nova
Rle Nova planmanager
Weaknesses CWE-79
CPEs cpe:2.3:a:rle_nova:planmanager:all_versions:*:*:*:*:*:*:*
Vendors & Products Rle Nova
Rle Nova planmanager
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nova-a Planmanager
Rle Nova Planmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-29T15:33:17.994Z

Reserved: 2026-01-27T08:31:51.674Z

Link: CVE-2026-1469

cve-icon Vulnrichment

Updated: 2026-01-29T15:33:11.275Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T12:16:30.643

Modified: 2026-03-09T14:16:41.970

Link: CVE-2026-1469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses