Description
Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey that would harm the entire veterinary team. At the same time, a user with low privileges could exploit this vulnerability to access unauthorized data and perform actions with elevated privileges.
Published: 2026-03-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting (XSS) flaw resides in the endpoint vets.wakyma.com/configuracion/agenda/modelo-formulario-evento of the Wakyma web application. A user who has permission to create personalized accounts can inject a malicious survey that, once stored, will be rendered to all other users, potentially harming the entire veterinary team. Additionally, a user with low privileges can exploit the vulnerability to access unauthorized data and perform actions with elevated privileges, as stated in the vendor description.

Affected Systems

The vulnerability affects the Wakyma application web product. The provided data does not list a specific version range; the CPE entries imply all current versions may be impacted until the fix is applied.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely authenticated or internal, requiring an attacker to have write access to create a malicious survey or basic user privileges to benefit from the stored XSS.

Generated by OpenCVE AI on March 19, 2026 at 21:51 UTC.

Remediation

Vendor Solution

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

OpenCVE Recommended Actions

  • Apply the Wakyma vendor patch released on February 19, 2026, which resolves the stored XSS issue.
  • Verify that the application is running the patched continuous‑integration build and confirm that the survey creation endpoint no longer accepts untrusted input.

Generated by OpenCVE AI on March 19, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wakyma wakyma
CPEs cpe:2.3:a:wakyma:wakyma:-:*:*:*:*:*:*:*
Vendors & Products Wakyma wakyma
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey that would harm the entire veterinary team. At the same time, a user with low privileges could exploit this vulnerability to access unauthorized data and perform actions with elevated privileges.
Title Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma application web
First Time appeared Wakyma
Wakyma wakyma Application Web
Weaknesses CWE-79
CPEs cpe:2.3:a:wakyma:wakyma_application_web:all_versions:*:*:*:*:*:*:*
Vendors & Products Wakyma
Wakyma wakyma Application Web
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wakyma Wakyma Wakyma Application Web
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-16T13:25:02.460Z

Reserved: 2026-02-23T13:43:57.015Z

Link: CVE-2026-3024

cve-icon Vulnrichment

Updated: 2026-03-16T13:24:56.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:45.857

Modified: 2026-03-19T20:01:40.933

Link: CVE-2026-3024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T08:00:28Z

Weaknesses