CVE-2026-26721

HighPublic PoC

Published: 20 February 2026

Published

20 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

EPSS Score 0.0007 22.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26721 is a high-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-9 Transmission Confidentiality

addresses: CWE-598

Protects sensitive data placed in query strings from interception in transit when confidentiality controls like HTTPS are enforced.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of public-facing web app (T1190) to leak sensitive data via insecure query parameter handling, directly facilitating unsecured credential access (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.

Deeper analysisAI

CVE-2026-26721 is a vulnerability in Key Systems Inc Global Facilities Management Software version 20230721a, stemming from CWE-598. It enables a remote attacker to obtain sensitive information via the sid query parameter. The issue has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), highlighting high confidentiality impact, low attack complexity, no required privileges, and user interaction as a prerequisite.

Attackers can exploit this remotely by crafting malicious requests targeting the sid query parameter, typically tricking users into clicking links or visiting pages that trigger the disclosure. No authentication is needed, allowing unauthenticated remote exploitation that leaks sensitive data with limited integrity modification potential but no denial-of-service effects.

The key reference is https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721, a vulnerability disclosure repository that may detail proof-of-concept or further analysis, though no vendor advisories or patches are specified here. Security practitioners should review this source for mitigation steps and contact Key Systems Inc for official patches or workarounds.