CVE Catalog

CVE-2026-6954

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

28th percentile — higher than 28% of all known CVEs

Summary

Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. An attacker can execute JavaScript code or inject a dynamic iframe into the victim's browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'.

Risk Assessment

The risk for the organization includes theft of sensitive user data such as session cookies, display of phishing interfaces, or performing actions on the user's behalf, potentially leading to confidentiality and integrity breaches.

Recommendation

It is recommended to immediately update WebControl CMS to the latest version and apply input validation and encoding for the 'urlDestino' parameter to prevent script injection.

Original NVD description (English source)

Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS