CVE-2026-22198
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: VulnCheck

Description
GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22198
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
gestsup gestsup to 3.2.56 (inc)
gestsup gestsup From 3.2.45 (inc)
gestsup gestsup From 3.2.40 (inc) to 3.2.59 (inc)
gestsup gestsup 3.2.59
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22198 is a stored cross-site scripting (XSS) vulnerability in GestSup versions up to 3.2.56. It occurs in the API error logging functionality, where an unauthenticated attacker can send a crafted API request with a malicious X-API-KEY header. This causes attacker-controlled HTML or JavaScript code to be stored in the error logs. When an administrator views these logs in the web interface, the malicious code is executed in the administrator's browser because the content is not properly encoded. [2]

Impact Analysis

This vulnerability can lead to arbitrary script execution in an administrator's browser session when they view the affected logs. This could allow attackers to perform actions such as stealing administrator session cookies, executing unauthorized actions, or compromising the administrator's account and the system's security. [2]

Detection Guidance

This vulnerability can be detected by monitoring API requests to the endpoint /api/v1/ticket.php for suspicious or crafted X-API-KEY header values that may contain malicious HTML or JavaScript code. Additionally, reviewing the API error logs for unexpected or attacker-controlled content can help identify exploitation attempts. Specific commands are not provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include updating GestSup to a version later than 3.2.56 where this vulnerability is fixed. Additionally, restricting access to the API endpoints, monitoring and sanitizing API request headers, and avoiding viewing error logs in the web interface until the system is patched can reduce risk. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart