{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26723", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-23T19:49:52.840Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:09:08.144Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T19:49:48.655794Z", "id": "CVE-2026-26723", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:49:52.840Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T19:49:48.655794Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:49:27.924Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:09:08.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26723", "state": "PUBLISHED", "dateUpdated": "2026-02-23T19:49:52.840Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keystorage:global_facilities_management_software:20230721a:*:*:*:*:*:*:*", "matchCriteriaId": "B18D4BBF-3745-43E5-86FE-8834842D0E6B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter."}, {"lang": "es", "value": "Una vulnerabilidad de Cross Site Scripting en el software Key Systems Inc Global Facilities Management v. 20230721a permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro de funci\u00f3n."}], "id": "CVE-2026-26723", "lastModified": "2026-02-26T17:55:24.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T17:25:55.483", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "20230721a"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "global_facilities_management_software", "vendor": "key_systems"}], "analysis": {"en": {"generated_at": "2026-04-17T17:40:04.485160+00:00", "value": {"mitigation_remediation": ["Apply the vendor's security update that addresses the XSS flaw in the Global Facilities Management Software.", "If an update is not yet available, sanitize all user\u2011supplied input to the vulnerable function and enforce proper output encoding before rendering to users.", "Deploy a web application firewall and enable a strict content\u2011security\u2011policy header to mitigate reflected and stored XSS attempts."], "summary": {"action": "Patch ASAP", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The software product affected is Key Systems Inc Global Facilities Management Software, specifically the 20230721a release. No other vendors or versions are currently listed as impacted.", "description_and_impact": "A cross\u2011site scripting flaw exists in Key Systems Inc Global Facilities Management Software version 20230721a. The vulnerability resides in a function that accepts user\u2011supplied parameters without adequate input validation or output encoding. An attacker can supply crafted input to inject malicious scripts, which are subsequently executed in the context of the application, leading to arbitrary code execution, credential theft, session hijacking, or further compromise of the underlying system. The flaw is identified as CWE\u201179, a classic reflected or stored XSS weakness.", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.2, indicating a high severity potential. The EPSS score is below 1 percent, suggesting that the overall exploitation probability is currently low, and the vulnerability is not present in the CISA KEV catalog. The likely attack vector is remote, through a web interface or API that accepts the vulnerable function parameter. If an attacker can inject a malicious payload, they may gain arbitrary code execution on the host machine or compromise other users. While the current exploitation likelihood is low, the high impact warrants prompt attention. Applying a patch or mitigation is advised."}}}}, "created": "2026-02-23T14:47:16.242435+00:00", "title": "Cross Site Scripting Vulnerability Allowing Remote Code Execution via Function Parameter", "updated": "2026-04-17T17:45:24.346299+00:00", "vendors": ["key_systems", "key_systems$PRODUCT$global_facilities_management_software"]}