Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.

This issue affects ViPort: through 23012026.
Published: 2026-02-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The description was recently updated, but the core issue remains a stored cross‑site scripting flaw in ViPort. The product contains a stored XSS vulnerability that allows an attacker to embed malicious scripts into the application’s output. When a victim later views the affected page, the browser executes the injected code as if it originated from the trusted site, potentially compromising session cookies, defacing content, or redirecting users to phishing sites. The vulnerability is a classic example of Improper Neutralization of Input During Web Page Generation (CWE‑79).

Affected Systems

All installations of Karel Electronics Industry and Trade Inc.’s ViPort running versions up to and including 23012026 are affected. No other versions are listed as vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 8.8, indicating a high severity. EPSS is below 1 %, suggesting a currently low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the web interface where user input is accepted and stored; an attacker would need to submit malicious content that the application later renders. No specific authentication or privilege escalation steps are mentioned, so the vulnerability may be exploitable by users who can create or modify content in the system.

Generated by OpenCVE AI on June 6, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or update ViPort to a version newer than 23012026
  • Configure a web application firewall to filter or block malicious input before it reaches the application
  • Ensure all user‑generated content is properly encoded when rendered in the browser

Generated by OpenCVE AI on June 6, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026. Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026.
References

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Karel
Karel viport
Vendors & Products Karel
Karel viport

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.
Title Stored XSS in Karel Electronics' ViPort
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Karel Viport
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-06T07:55:39.333Z

Reserved: 2026-02-03T14:13:29.446Z

Link: CVE-2026-1819

cve-icon Vulnrichment

Updated: 2026-02-04T16:19:42.234Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T08:16:06.820

Modified: 2026-06-06T08:16:53.180

Link: CVE-2026-1819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T09:30:17Z

Weaknesses