Description
Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.
Published: 2026-02-20
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Client-side XSS
Action: Immediate Patch
AI Analysis

Impact

Key Systems Inc Global Facilities Management Software contains a reflected cross-site scripting flaw at the /?Function=Groups endpoint. The vulnerability allows an attacker to craft a URL that injects arbitrary JavaScript through the selectgroup and gn parameters. When a user follows the malicious link, the script executes in the user's browser context. Based on the description, it is inferred that this could enable credential theft, session hijacking, or full compromise of the application.

Affected Systems

The flaw affects the 20230721a release of Key Systems Inc Global Facilities Management Software. No other versions or vendors are listed as affected.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is classified as high severity. The EPSS score of less than 1% indicates that the exploitation probability is currently low, yet the flaw is publicly documented and not listed in the CISA KEV catalog. The likely attack vector is the web, where an attacker sends a crafted HTTP/HTTPS request to the /?Function=Groups endpoint. Anyone who follows the malicious URL can trigger the flaw, making proactive mitigation advisable.

Generated by OpenCVE AI on April 18, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch for Global Facilities Management Software when it becomes available.
  • Configure the application or a web application firewall to escape or encode the selectgroup and gn parameters and prevent script injection.
  • Restrict the /?Function=Groups endpoint to authenticated, authorized users or block it from external sources.

Generated by OpenCVE AI on April 18, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Client-side XSS via selectgroup and gn parameters in Global Facilities Management Software

Thu, 26 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Keystorage
Keystorage global Facilities Management Software
Weaknesses CWE-79
CPEs cpe:2.3:a:keystorage:global_facilities_management_software:20230721a:*:*:*:*:*:*:*
Vendors & Products Keystorage
Keystorage global Facilities Management Software

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Key Systems
Key Systems global Facilities Management Software
Vendors & Products Key Systems
Key Systems global Facilities Management Software

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.
References

Subscriptions

Key Systems Global Facilities Management Software
Keystorage Global Facilities Management Software
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-26T22:06:41.927Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26724

cve-icon Vulnrichment

Updated: 2026-02-23T20:01:17.228Z

cve-icon NVD

Status : Modified

Published: 2026-02-20T17:25:55.590

Modified: 2026-02-26T23:16:34.630

Link: CVE-2026-26724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses