Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.
Published: 2026-02-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting capable of executing arbitrary JavaScript in the victim’s browser
Action: Patch Immediately
AI Analysis

Impact

Karel Electronics' ViPort product contains a stored cross‑site scripting flaw that allows an attacker to embed malicious scripts into the application’s output. When a victim later views the affected page, the browser executes the injected code as if it originated from the trusted site, potentially compromising session cookies, defacing content, or redirecting users to phishing sites. The vulnerability is a classic example of Improper Neutralization of Input During Web Page Generation (CWE‑79).

Affected Systems

All installations of Karel Electronics Industry and Trade Inc.’s ViPort running versions up to and including 23012026 are affected. No other versions are listed as vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 8.8, indicating a high severity. EPSS is below 1 %, suggesting a currently low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the web interface where user input is accepted and stored; an attacker would need to submit malicious content that the application later renders. No specific authentication or privilege escalation steps are mentioned, so the vulnerability may be exploitable by users who can create or modify content in the system.

Generated by OpenCVE AI on April 17, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or update ViPort to a version newer than 23012026
  • Configure a web application firewall to filter or block malicious input before it reaches the application
  • Ensure all user‑generated content is properly encoded when rendered in the browser

Generated by OpenCVE AI on April 17, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Karel
Karel viport
Vendors & Products Karel
Karel viport

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.
Title Stored XSS in Karel Electronics' ViPort
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Karel Viport
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-02-04T16:19:45.790Z

Reserved: 2026-02-03T14:13:29.446Z

Link: CVE-2026-1819

cve-icon Vulnrichment

Updated: 2026-02-04T16:19:42.234Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T08:16:06.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses