CVE-2026-6954
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. An attacker can execute JavaScript code or inject a dynamic iframe into the victim's browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'.
Risk Assessment
The risk for the organization includes theft of sensitive user data such as session cookies, display of phishing interfaces, or performing actions on the user's behalf, potentially leading to confidentiality and integrity breaches.
Recommendation
It is recommended to immediately update WebControl CMS to the latest version and apply input validation and encoding for the 'urlDestino' parameter to prevent script injection.
Original NVD description (English source)
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.

