Description
A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch ASAP
AI Analysis

Impact

A cross‑site scripting vulnerability exists in LigeroSmart in the AgentDashboard function of /otrs/index.pl. By altering the 'Subaction' request parameter, an attacker can inject JavaScript that is executed in the victim’s browser. The flaw can be triggered remotely via a crafted HTTP request and does not require authentication.

Affected Systems

The vulnerability affects LigeroSmart installations up to version 6.1.26, including the OTRS web interface where the AgentDashboard routine is accessed. Users running any version of LigeroSmart on which the AgentDashboard function is enabled are at risk.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not cataloged in CISA KEV. Remote exploitation is possible by sending a request that manipulates the Subaction parameter; no prior authentication is required, so any user who visits the vulnerable page could be affected.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LigeroSmart to a release newer than 6.1.26 that addresses the Subaction input validation issue.
  • Validate or sanitize the Subaction parameter on the server side, ensuring it cannot contain script tags or other executable code.
  • Configure a web application firewall or add a rule that blocks requests containing script payloads in the Subaction parameter.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ligerosmart
Ligerosmart ligerosmart
Vendors & Products Ligerosmart
Ligerosmart ligerosmart

Mon, 16 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title LigeroSmart index.pl AgentDashboard cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ligerosmart Ligerosmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:07:40.765Z

Reserved: 2026-02-15T16:00:31.690Z

Link: CVE-2026-2547

cve-icon Vulnrichment

Updated: 2026-02-17T18:30:26.276Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T09:16:08.660

Modified: 2026-02-18T21:45:21.910

Link: CVE-2026-2547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses