CVE-2026-22198
MEDIUMGestSup < 3.2.56 - Unauthenticated Stored Cross-Site Scripting via API Error Logs
Title source: llmDescription
GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.
References (2)
Core 2
Core References
Release Notes release-notes
https://gestsup.fr/index.php?page=changelog
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
17.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
gestsup/gestsup
< 3.2.56
Published
Jan 09, 2026
Tracked Since
Feb 18, 2026