{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26721", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-23T20:23:23.839Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:05:17.165Z"}, "descriptions": [{"lang": "en", "value": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-598", "lang": "en", "description": "CWE-598 Use of GET Request Method With Sensitive Query Strings"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:22:18.771975Z", "id": "CVE-2026-26721", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:23:23.839Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26721", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:22:18.771975Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-598", "description": "CWE-598 Use of GET Request Method With Sensitive Query Strings"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:21:00.800Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721"}], "descriptions": [{"lang": "en", "value": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:05:17.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26721", "state": "PUBLISHED", "dateUpdated": "2026-02-23T20:23:23.839Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keystorage:global_facilities_management_software:20230721a:*:*:*:*:*:*:*", "matchCriteriaId": "B18D4BBF-3745-43E5-86FE-8834842D0E6B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter."}, {"lang": "es", "value": "Un problema en el software de gesti\u00f3n de instalaciones globales de Key Systems Inc v.20230721a permite a un atacante remoto obtener informaci\u00f3n sensible a trav\u00e9s del par\u00e1metro de consulta sid."}], "id": "CVE-2026-26721", "lastModified": "2026-02-26T17:57:40.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T17:25:55.270", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-598"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "20230721a"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "global_facilities_management_software", "vendor": "key_systems"}], "analysis": {"en": {"generated_at": "2026-04-18T11:37:19.460743+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor\u2011supplied patch or upgrade that removes the insecure sid query parameter. ", "If no patch is available, restrict or block requests containing the sid parameter using firewall or web\u2011server rules, and enforce authentication before any related functionality is accessed. ", "Configure input validation to reject malformed or suspicious sid values and implement comprehensive logging to detect potential abuse of the parameter."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Key Systems Inc Global Facilities Management Software, version 20230721a. No other products or versions were specifically listed as vulnerable.", "description_and_impact": "Based on the description, it is inferred that a vulnerability exists in Key Systems Inc Global Facilities Management Software version 20230721a that could allow an unauthenticated or remote attacker to expose confidential data through the sid query parameter. The flaw permits the attacker to retrieve sensitive information without the need for credential disclosure, leading directly to a breach of confidentiality. The weakness is classified as Sensitive Information Exposure (CWE-598).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.1, indicating a high security impact. The Exploit Probability (EPSS) is less than 1%, suggesting that exploitation attempts are expected to be rare at present, and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that if an attacker discovers a method to pass the sid parameter, they could obtain confidential information with minimal effort. The remote nature of the flaw and the potential for sensitive data leakage mean that, while unlikely to be widely exploited now, the impact of a successful attack would be significant."}}}}, "created": "2026-02-23T14:47:19.188194+00:00", "title": "Sensitive Information Exposure via SID Query Parameter", "updated": "2026-04-18T11:45:44.591979+00:00", "vendors": ["key_systems", "key_systems$PRODUCT$global_facilities_management_software"]}