CVE-2026-26723
Published: 20 February 2026
Summary
CVE-2026-26723 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the function parameter input to reject or sanitize malicious scripts, directly preventing XSS exploitation in the Global Facilities Management Software.
Filters and encodes information output to web pages, blocking execution of injected scripts in victims' browsers and addressing the reflected XSS via function parameter.
Identifies, prioritizes, and remediates the specific XSS flaw in version 20230721a through patching or updates, eliminating the vulnerability at its root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in public-facing software enables remote exploitation without authentication (T1190) and allows arbitrary code execution in browser context to steal session cookies and sensitive data (T1539).
NVD Description
Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter.
Deeper analysisAI
CVE-2026-26723 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in Key Systems Inc Global Facilities Management Software version 20230721a. Published on 2026-02-20, it enables a remote attacker to execute arbitrary code through the function parameter. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
A remote attacker can exploit this vulnerability without authentication by crafting malicious input targeting the function parameter, typically delivered via a phishing link or malicious webpage that requires user interaction, such as clicking or viewing content. Successful exploitation executes arbitrary code in the victim's browser context, potentially leading to theft of sensitive session data, cookies, or other confidential information hosted by the application, as reflected in the high confidentiality impact and scope change.
The primary reference for this vulnerability is a GitHub repository containing vulnerability disclosures at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723, which may provide additional details on exploitation or remediation steps.
Details
- CWE(s)