Cyber Resilience

CVE-2026-26724

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0008 24.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26724 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Keystorage Global Facilities Management Software. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-26724 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Key Systems Inc Global Facilities Management Software version 20230721a. The flaw enables a remote attacker to execute arbitrary code through the selectgroup and gn parameters on the /?Function=Groups endpoint. It carries a CVSS v3.1 base score of 7.6, reflecting network accessibility, low attack complexity, requirement for low privileges and user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting malicious inputs for the vulnerable parameters and inducing a targeted user to interact with them, such as by clicking a link or submitting a form (UI:R). Successful exploitation allows execution of arbitrary code in the victim's browser context, potentially compromising sensitive data due to the high confidentiality impact and scope change.

Mitigation details are available in the vulnerability disclosure at https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26724, published on 2026-02-20.

EU & UK References

Vulnerability details

Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing web app directly enables remote exploitation (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26723Same product: Keystorage Global Facilities Management Software
CVE-2026-26722Same product: Keystorage Global Facilities Management Software
CVE-2026-26721Same product: Keystorage Global Facilities Management Software
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79

Affected Assets

keystorage
global facilities management software
20230721a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents XSS exploitation by validating the selectgroup and gn parameters on the /?Function=Groups endpoint to block malicious script injection.

prevent

Mitigates XSS by filtering and encoding information outputs from the vulnerable endpoint, preventing arbitrary code execution in victims' browsers.

prevent

Remediates the specific XSS flaw in Global Facilities Management Software v.20230721a through timely patching, eliminating the vulnerability.

References