Description
Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the

'descripción'

parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.
Published: 2026-02-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious JavaScript through the 'descripción' parameter of the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint. When the content is later displayed to other users, the injected script will execute in their browsers, enabling actions such as session hijacking, cookie theft, and defacement. This is a classic example of CWE‑79, where unsanitized user input is persisted and rendered without proper escaping.

Affected Systems

The flaw affects all Loggro Pymes installations that run versions prior to 1.0.124. The Loggro Pymes Web Application, managed by Loggro Pymes, is the impacted product. Users running earlier releases should verify their current build and plan for an update as the vendor has supplied a fix in version 1.0.124.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate in severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no active widely known attacks have been reported. An attacker could exploit the flaw by submitting a crafted value to the 'descripción' field, which is then stored and replayed for other users, making the attack vector primarily remote and web‑based.

Generated by OpenCVE AI on April 17, 2026 at 21:27 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by Loggro Pymes team in version 1.0.124.


OpenCVE Recommended Actions

  • Apply the Loggro Pymes patch 1.0.124 or newer to eliminate the stored XSS vector
  • If an immediate upgrade is not feasible, sanitize the 'descripción' input on the server side, ensuring all HTML and script content is escaped before storage or block disallowed tags
  • Deploy a web application firewall or content security policy that blocks execution of inline scripts to mitigate any remaining risk

Generated by OpenCVE AI on April 17, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.
Title Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes
First Time appeared Loggro Pymes
Loggro Pymes loggro Pymes
Weaknesses CWE-79
CPEs cpe:2.3:a:loggro_pymes:loggro_pymes:*:*:*:*:*:*:*:*
Vendors & Products Loggro Pymes
Loggro Pymes loggro Pymes
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Loggro Pymes Loggro Pymes
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-09T13:12:59.317Z

Reserved: 2026-02-05T10:39:17.734Z

Link: CVE-2026-1959

cve-icon Vulnrichment

Updated: 2026-02-09T13:12:29.304Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T12:15:57.767

Modified: 2026-06-17T10:16:46.690

Link: CVE-2026-1959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')