Description
Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.
Published: 2026-02-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allows an attacker to execute arbitrary JavaScript in the browsers of users who view the affected content, potentially leading to session hijacking, data theft or defacement
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Loggro Pymes web application. Malicious code can be injected via the ‘Facebook’ parameter of the /loggrodemo/jbrain/ConsultaTerceros endpoint and is persistently stored and later rendered to other users. This vulnerability falls under CWE‑79 and enables an attacker to run arbitrary scripts in the context of affected user browsers.

Affected Systems

The affected product is Loggro Pymes. Versions prior to 1.0.124 are vulnerable; the team has released a patch in Loggro Pymes 1.0.124 that addresses the issue.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS of less than 1% implies a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is client‑side, requiring an attacker to supply a malicious value for the Facebook parameter that will be stored and surfaced to other users browsing the application.

Generated by OpenCVE AI on April 17, 2026 at 21:26 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by Loggro Pymes team in version 1.0.124.


OpenCVE Recommended Actions

  • Upgrade Loggro Pymes to version 1.0.124 or later to eliminate the stored XSS risk.
  • If an immediate upgrade is not feasible, enforce strict input validation and HTML‑encode the contents of the Facebook parameter before storage.
  • Configure the web application to return the page with a Content‑Security‑Policy header that disallows inline scripts for the affected domain.

Generated by OpenCVE AI on April 17, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.
Title Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes
First Time appeared Loggro Pymes
Loggro Pymes loggro Pymes
Weaknesses CWE-79
CPEs cpe:2.3:a:loggro_pymes:loggro_pymes:*:*:*:*:*:*:*:*
Vendors & Products Loggro Pymes
Loggro Pymes loggro Pymes
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Loggro Pymes Loggro Pymes
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-09T13:04:04.602Z

Reserved: 2026-02-05T10:40:49.603Z

Link: CVE-2026-1960

cve-icon Vulnrichment

Updated: 2026-02-09T13:03:04.358Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T12:15:57.940

Modified: 2026-06-17T10:16:46.800

Link: CVE-2026-1960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')