CVE-2026-30082

MEDIUM

IngEstate Server 11.14.0 - Stored XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-30082. PoCs published by Cr0wld3r.

AI-analyzed exploit summary This repository provides a detailed technical analysis of a stored XSS vulnerability in IngEstate Server 11.14.0, specifically in the Edit feature of the Software Package List page. The vulnerability allows authenticated users to inject malicious JavaScript into parameters like 'About application', 'What's news', or 'Release note', which executes when other users view these sections.

Description

Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters.

Exploits (1)

nomisec WRITEUP
by Cr0wld3r · poc
https://github.com/Cr0wld3r/CVE-2026-30082

This repository provides a detailed technical analysis of a stored XSS vulnerability in IngEstate Server 11.14.0, specifically in the Edit feature of the Software Package List page. The vulnerability allows authenticated users to inject malicious JavaScript into parameters like 'About application', 'What's news', or 'Release note', which executes when other users view these sections.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: IngEstate Server 11.14.0
Auth required
Prerequisites: Authenticated access to the IngEstate Server dashboard · Access to the Software Package List page
devstral-2 · analyzed May 03, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0023
EPSS Percentile 13.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
n/a/n/a
Published Mar 30, 2026
Tracked Since Mar 30, 2026