CVE-2026-6743 - Vulnerability Details

- WebSystems WebTOTUM Calendar cross site scripting

Description

A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Published: 2026-04-21

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in an unknown function of the Calendar component of WebSystems WebTOTUM 2026 that allows malicious input to be reflected and executed as script in the victim’s browser. As an injection flaw, it is classified as CWE‑79 and CWE‑94. The flaw can lead to the execution of arbitrary client‑side code, potentially exposing user credentials, session tokens, or enabling drive‑by attacks if the victim visits a crafted URL or page.

Affected Systems

Only the WebSystems WebTOTUM 2026 product is affected, specifically the Calendar feature. No additional version range is listed, so all installed instances of the 2026 release are considered vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not published, and the issue is not listed in CISA KEV, so there is no evidence of mass exploitation yet. However, the exploit has been publicly disclosed and a fixed version has been issued by the vendor, implying that remote attackers could readily use the flaw if the system is not patched. The attack vector is inferred to be remote, as the description states that the attack may be initiated remotely and that the publicly disclosed exploit can be used.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WebSystems

WebTOTUM

affected

Version	Status	Constraints
`2026`	affected	—

No data.

Vendor Product Confidence Versions

Websystems

Webtotum

100%

Version	Status	Scheme	Platform
`2026`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the vendor‑released fixed version of WebTOTUM that addresses the Calendar XSS flaw.
If an immediate update is not possible, block or disable access to the Calendar feature until the patch can be applied.
Apply a strict Content Security Policy that disallows inline scripts and limits script sources to trusted domains to mitigate the impact of any remaining XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://olografix.org/acme/WebTOTUM-POC.gif
https://vuldb.com/submit/794617
https://vuldb.com/vuln/358434
https://vuldb.com/vuln/358434/cti
https://www.websys.eu/gestionale-online-in-cloud-per-pmi-callcenter

History

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Websystems Websystems webtotum
Vendors & Products		Websystems Websystems webtotum

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in WebSystems WebTOTUM 2026. This impacts an unknown function of the component Calendar. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title		WebSystems WebTOTUM Calendar cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://olografix.org/acme/WebTOTUM-POC.gif https://vuldb.com/submit/794617 https://vuldb.com/vuln/358434 https://vuldb.com/vuln/358434/cti https://www.websys.eu/gestionale-online-in-cloud-per-pmi-callcenter
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Websystems Webtotum

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-21T16:30:14.358Z

Updated: 2026-04-21T17:59:15.584Z

Reserved: 2026-04-21T11:56:50.965Z

Link: CVE-2026-6743

Vulnrichment

Updated: 2026-04-21T17:59:10.332Z

NVD

Status : Received

Published: 2026-04-21T17:16:58.157

Modified: 2026-04-21T17:16:58.157

Link: CVE-2026-6743

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:46:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object