CVE-2026-26721 - Vulnerability Details

- Sensitive Information Exposure via SID Query Parameter

Description

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.

Published: 2026-02-20

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Based on the description, it is inferred that a vulnerability exists in Key Systems Inc Global Facilities Management Software version 20230721a that could allow an unauthenticated or remote attacker to expose confidential data through the sid query parameter. The flaw permits the attacker to retrieve sensitive information without the need for credential disclosure, leading directly to a breach of confidentiality. The weakness is classified as Sensitive Information Exposure (CWE-598).

Affected Systems

The affected product is Key Systems Inc Global Facilities Management Software, version 20230721a. No other products or versions were specifically listed as vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a high security impact. The Exploit Probability (EPSS) is less than 1%, suggesting that exploitation attempts are expected to be rare at present, and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that if an attacker discovers a method to pass the sid parameter, they could obtain confidential information with minimal effort. The remote nature of the flaw and the potential for sensitive data leakage mean that, while unlikely to be widely exploited now, the impact of a successful attack would be significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:keystorage:global_facilities_management_software:20230721a:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Key Systems

Global Facilities Management Software

80%

Version	Status	Scheme	Platform
`20230721a`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor‑supplied patch or upgrade that removes the insecure sid query parameter.
If no patch is available, restrict or block requests containing the sid parameter using firewall or web‑server rules, and enforce authentication before any related functionality is accessed.
Configure input validation to reject malformed or suspicious sid values and implement comprehensive logging to detect potential abuse of the parameter.

Generated by OpenCVE AI on April 18, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721

History

Sat, 18 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Title		Sensitive Information Exposure via SID Query Parameter

Thu, 26 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Keystorage Keystorage global Facilities Management Software
CPEs		cpe:2.3:a:keystorage:global_facilities_management_software:20230721a:::::::*
Vendors & Products		Keystorage Keystorage global Facilities Management Software

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-598
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Key Systems Key Systems global Facilities Management Software
Vendors & Products		Key Systems Key Systems global Facilities Management Software

Fri, 20 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.
References		https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721

Subscriptions

Key Systems Global Facilities Management Software

Keystorage Global Facilities Management Software

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-20T00:00:00.000Z

Updated: 2026-02-23T20:23:23.839Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26721

Vulnrichment

Updated: 2026-02-23T20:21:00.800Z

NVD

Status : Analyzed

Published: 2026-02-20T17:25:55.270

Modified: 2026-02-26T17:57:40.220

Link: CVE-2026-26721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses

CWE-598

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object