Cyber Resilience

CVE-2026-26721

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0007 22.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26721 is a high-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-26721 is a vulnerability in Key Systems Inc Global Facilities Management Software version 20230721a, stemming from CWE-598. It enables a remote attacker to obtain sensitive information via the sid query parameter. The issue has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), highlighting high confidentiality impact, low attack complexity, no required privileges, and user interaction as a prerequisite.

Attackers can exploit this remotely by crafting malicious requests targeting the sid query parameter, typically tricking users into clicking links or visiting pages that trigger the disclosure. No authentication is needed, allowing unauthenticated remote exploitation that leaks sensitive data with limited integrity modification potential but no denial-of-service effects.

The key reference is https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721, a vulnerability disclosure repository that may detail proof-of-concept or further analysis, though no vendor advisories or patches are specified here. Security practitioners should review this source for mitigation steps and contact Key Systems Inc for official patches or workarounds.

EU & UK References

Vulnerability details

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

CVE enables remote exploitation of public-facing web app (T1190) to leak sensitive data via insecure query parameter handling, directly facilitating unsecured credential access (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26722Same product: Keystorage Global Facilities Management Software
CVE-2026-26724Same product: Keystorage Global Facilities Management Software
CVE-2026-26723Same product: Keystorage Global Facilities Management Software
CVE-2026-25118Shared CWE-598
CVE-2025-41772Shared CWE-598
CVE-2025-13219Shared CWE-598
CVE-2025-69270Shared CWE-598
CVE-2026-34020Shared CWE-598
CVE-2026-22644Shared CWE-598
CVE-2026-23846Shared CWE-598

Affected Assets

keystorage
global facilities management software
20230721a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of session authenticity, preventing exposure and replay of the sid query parameter used as a session identifier.

prevent

Enforces information-flow rules that can block sensitive session identifiers from being passed in query parameters.

detect

Explicitly monitors for unauthorized information disclosure involving parameters such as sid.

References