{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2546", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-15T16:00:28.877Z", "datePublished": "2026-02-16T08:02:07.017Z", "dateUpdated": "2026-02-23T10:07:28.179Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:07:28.179Z"}, "title": "LigeroSmart index.pl cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "n/a", "product": "LigeroSmart", "versions": [{"version": "6.1.0", "status": "affected"}, {"version": "6.1.1", "status": "affected"}, {"version": "6.1.2", "status": "affected"}, {"version": "6.1.3", "status": "affected"}, {"version": "6.1.4", "status": "affected"}, {"version": "6.1.5", "status": "affected"}, {"version": "6.1.6", "status": "affected"}, {"version": "6.1.7", "status": "affected"}, {"version": "6.1.8", "status": "affected"}, {"version": "6.1.9", "status": "affected"}, {"version": "6.1.10", "status": "affected"}, {"version": "6.1.11", "status": "affected"}, {"version": "6.1.12", "status": "affected"}, {"version": "6.1.13", "status": "affected"}, {"version": "6.1.14", "status": "affected"}, {"version": "6.1.15", "status": "affected"}, {"version": "6.1.16", "status": "affected"}, {"version": "6.1.17", "status": "affected"}, {"version": "6.1.18", "status": "affected"}, {"version": "6.1.19", "status": "affected"}, {"version": "6.1.20", "status": "affected"}, {"version": "6.1.21", "status": "affected"}, {"version": "6.1.22", "status": "affected"}, {"version": "6.1.23", "status": "affected"}, {"version": "6.1.24", "status": "affected"}, {"version": "6.1.25", "status": "affected"}, {"version": "6.1.26", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-20T08:22:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Samara Gama - igobysamy (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346155", "name": "VDB-346155 | LigeroSmart index.pl cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346155", "name": "VDB-346155 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749784", "name": "Submit #749784 | LigeroSmart LigeroSmart (OTRS-based platform) 6.1.27 Cross-Site Scripting (XSS) - Reflected XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/issues/283", "tags": ["issue-tracking"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/issues/283#issue-3879199951", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T18:30:57.443842Z", "id": "CVE-2026-2546", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T18:31:07.881Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2546", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T18:30:57.443842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T18:31:03.014Z"}}], "cna": {"title": "LigeroSmart index.pl cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Samara Gama - igobysamy (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "product": "LigeroSmart", "versions": [{"status": "affected", "version": "6.1.0"}, {"status": "affected", "version": "6.1.1"}, {"status": "affected", "version": "6.1.2"}, {"status": "affected", "version": "6.1.3"}, {"status": "affected", "version": "6.1.4"}, {"status": "affected", "version": "6.1.5"}, {"status": "affected", "version": "6.1.6"}, {"status": "affected", "version": "6.1.7"}, {"status": "affected", "version": "6.1.8"}, {"status": "affected", "version": "6.1.9"}, {"status": "affected", "version": "6.1.10"}, {"status": "affected", "version": "6.1.11"}, {"status": "affected", "version": "6.1.12"}, {"status": "affected", "version": "6.1.13"}, {"status": "affected", "version": "6.1.14"}, {"status": "affected", "version": "6.1.15"}, {"status": "affected", "version": "6.1.16"}, {"status": "affected", "version": "6.1.17"}, {"status": "affected", "version": "6.1.18"}, {"status": "affected", "version": "6.1.19"}, {"status": "affected", "version": "6.1.20"}, {"status": "affected", "version": "6.1.21"}, {"status": "affected", "version": "6.1.22"}, {"status": "affected", "version": "6.1.23"}, {"status": "affected", "version": "6.1.24"}, {"status": "affected", "version": "6.1.25"}, {"status": "affected", "version": "6.1.26"}]}], "timeline": [{"lang": "en", "time": "2026-02-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-20T08:22:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346155", "name": "VDB-346155 | LigeroSmart index.pl cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346155", "name": "VDB-346155 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749784", "name": "Submit #749784 | LigeroSmart LigeroSmart (OTRS-based platform) 6.1.27 Cross-Site Scripting (XSS) - Reflected XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/issues/283", "tags": ["issue-tracking"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/issues/283#issue-3879199951", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/LigeroSmart/ligerosmart/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:07:28.179Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2546", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:07:28.179Z", "dateReserved": "2026-02-15T16:00:28.877Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-16T08:02:07.017Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6446F8A-7F90-4333-A60D-2CAAC185002A", "versionEndIncluding": "6.1.26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en LigeroSmart hasta la versi\u00f3n 6.1.26. El elemento afectado es una funci\u00f3n desconocida del archivo /otrs/index.pl. Dicha manipulaci\u00f3n del argumento SortBy conduce a cross-site scripting. El ataque puede ser lanzado de forma remota. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. El proyecto fue informado del problema con antelaci\u00f3n a trav\u00e9s de un informe de problema, pero a\u00fan no ha respondido."}], "id": "CVE-2026-2546", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-16T09:16:08.437", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/LigeroSmart/ligerosmart/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/LigeroSmart/ligerosmart/issues/283"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/LigeroSmart/ligerosmart/issues/283#issue-3879199951"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.346155"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.346155"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.749784"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.1.26"}}], "product": "ligerosmart", "vendor": "ligerosmart"}], "analysis": {"en": {"generated_at": "2026-04-17T19:11:28.623438+00:00", "value": {"mitigation_remediation": ["Check for an official patch or upgrade to a version newer than 6.1.26 once released and apply it immediately.", "Until a fix is available, restrict access to the /otrs/index.pl script or eliminate the SortBy parameter from URLs served to users.", "Implement input validation to sanitize the SortBy value, removing or escaping script tags and other potentially dangerous payloads before it is processed by the application.", "Deploy a web application firewall to block XSS payloads targeting the SortBy argument."], "summary": {"action": "Assess Impact", "impact": "Cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "Products affected are LigeroSmart, versions up to and including 6.1.26. No specific sub\u2011versions are listed beyond this upper bound.", "description_and_impact": "A vulnerability was discovered in LigeroSmart up to version 6.1.26. The vulnerable component is an obscured function within the /otrs/index.pl script. By manipulating the SortBy argument, an attacker can inject malicious script content, resulting in reflected cross\u2011site scripting that can be triggered remotely. This flaw corresponds to CWE\u201179 and CWE\u201194, allowing an attacker to execute arbitrary JavaScript in the context of legitimate users who visit the affected URL.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a medium severity; EPSS below 1% and absence from the KEV catalog suggests a low probability of widespread exploitation at present. The attack can be launched remotely by supplying a crafted SortBy value in a request to the index.pl endpoint. Although the vulnerability was publicly disclosed, the vendor has not yet released a fix. Systems currently running the affected versions remain vulnerable until a patch or mitigative configuration is applied."}}}}, "created": "2026-02-16T12:01:03.165241+00:00", "updated": "2026-04-17T19:15:26.258529+00:00", "vendors": ["ligerosmart", "ligerosmart$PRODUCT$ligerosmart"]}