CVE-2026-26724
Published: 20 February 2026
Summary
CVE-2026-26724 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-26724 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Key Systems Inc Global Facilities Management Software version 20230721a. The flaw enables a remote attacker to execute arbitrary code through the selectgroup and gn parameters on the /?Function=Groups endpoint. It carries a CVSS v3.1 base score of 7.6, reflecting network accessibility, low attack complexity, requirement for low privileges and user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting malicious inputs for the vulnerable parameters and inducing a targeted user to interact with them, such as by clicking a link or submitting a form (UI:R). Successful exploitation allows execution of arbitrary code in the victim's browser context, potentially compromising sensitive data due to the high confidentiality impact and scope change.
Mitigation details are available in the vulnerability disclosure at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26724, published on 2026-02-20.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7504
Vulnerability details
Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing web app directly enables remote exploitation (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents XSS exploitation by validating the selectgroup and gn parameters on the /?Function=Groups endpoint to block malicious script injection.
Mitigates XSS by filtering and encoding information outputs from the vulnerable endpoint, preventing arbitrary code execution in victims' browsers.
Remediates the specific XSS flaw in Global Facilities Management Software v.20230721a through timely patching, eliminating the vulnerability.