Description
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Assess Impact
AI Analysis

Impact

A vulnerability was discovered in LigeroSmart up to version 6.1.26. The vulnerable component is an obscured function within the /otrs/index.pl script. By manipulating the SortBy argument, an attacker can inject malicious script content, resulting in reflected cross‑site scripting that can be triggered remotely. This flaw corresponds to CWE‑79 and CWE‑94, allowing an attacker to execute arbitrary JavaScript in the context of legitimate users who visit the affected URL.

Affected Systems

Products affected are LigeroSmart, versions up to and including 6.1.26. No specific sub‑versions are listed beyond this upper bound.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity; EPSS below 1% and absence from the KEV catalog suggests a low probability of widespread exploitation at present. The attack can be launched remotely by supplying a crafted SortBy value in a request to the index.pl endpoint. Although the vulnerability was publicly disclosed, the vendor has not yet released a fix. Systems currently running the affected versions remain vulnerable until a patch or mitigative configuration is applied.

Generated by OpenCVE AI on April 17, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official patch or upgrade to a version newer than 6.1.26 once released and apply it immediately.
  • Until a fix is available, restrict access to the /otrs/index.pl script or eliminate the SortBy parameter from URLs served to users.
  • Implement input validation to sanitize the SortBy value, removing or escaping script tags and other potentially dangerous payloads before it is processed by the application.
  • Deploy a web application firewall to block XSS payloads targeting the SortBy argument.

Generated by OpenCVE AI on April 17, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ligerosmart
Ligerosmart ligerosmart
Vendors & Products Ligerosmart
Ligerosmart ligerosmart

Mon, 16 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title LigeroSmart index.pl cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ligerosmart Ligerosmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:07:28.179Z

Reserved: 2026-02-15T16:00:28.877Z

Link: CVE-2026-2546

cve-icon Vulnrichment

Updated: 2026-02-17T18:31:03.014Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T09:16:08.437

Modified: 2026-02-19T19:39:34.103

Link: CVE-2026-2546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses