CVE-2026-5798

HIGH

Unsafe Object Reference (IDOR) vulnerability in Stel Order

Title source: cna

Description

Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.

References (1)

Core 1

Core References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order

Scores

CVSS v4 7.1

EPSS 0.0021

EPSS Percentile 10.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

Stel Order/Stel Order < 3.25.1

Published May 14, 2026

Tracked Since May 14, 2026