CVE-2026-5790

MEDIUM

Stel Order FrontController - Stored Cross-Site Scripting

Title source: manual

Description

Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.

References (1)

Core 1

Core References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order

Scores

CVSS v4 5.1

EPSS 0.0026

EPSS Percentile 16.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Stel Order/Stel Order < 3.25.1

Published May 14, 2026

Tracked Since May 14, 2026