CVE-2026-2546
Unknown Unknown - Not Provided
Cross-Site Scripting in LigeroSmart /otrs/index.pl Remote Exploit

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2546
EUVD
EUVD-2026-6118
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ligerosmart ligerosmart to 6.1.26 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2546 is a reflected Cross-Site Scripting (XSS) vulnerability in the LigeroSmart application, specifically involving the "SortBy" parameter in HTTP POST requests to the /otrs/index.pl endpoint.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by sending a crafted POST request with malicious JavaScript code embedded in the "SortBy" parameter. This malicious code is then reflected in the server\'s response without proper sanitization or encoding, allowing the attacker to execute arbitrary scripts in the victim\'s browser.'}, {'type': 'paragraph', 'content': 'The vulnerability arises due to insufficient input validation and output encoding of the "SortBy" parameter, enabling remote attackers to inject and execute JavaScript code via reflected XSS.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser when they access the affected LigeroSmart page."}, {'type': 'paragraph', 'content': 'Such script execution can lead to various impacts including theft of session cookies, user impersonation, unauthorized actions performed on behalf of the user, and potential compromise of data integrity.'}, {'type': 'paragraph', 'content': 'Because the attack is reflected and requires some user interaction, it can be used in phishing or social engineering attacks to trick users into triggering the malicious payload.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending crafted HTTP POST requests to the endpoint /otrs/index.pl with the SortBy parameter containing a test script payload, and observing if the payload is reflected in the server's response without proper sanitization."}, {'type': 'paragraph', 'content': 'For example, you can use curl to send a POST request with a malicious SortBy parameter to test for reflected XSS:'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-host>/otrs/index.pl -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "X-Requested-With: XMLHttpRequest" --data-urlencode "SortBy=\'<ScRiPt>alert(7777)</ScRiPt>\'"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script tag without encoding or sanitization, the vulnerability is present.'}] [1, 2]

Mitigation Strategies

There are no known official patches or countermeasures released by the LigeroSmart project as of now.

Immediate mitigation steps include:

  • Avoid using affected versions of LigeroSmart (up to 6.1.26 or 6.1.27) and consider upgrading to a version that addresses this issue once available.
  • Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the SortBy parameter.
  • Restrict access to the vulnerable endpoint /otrs/index.pl to trusted users or networks where possible.
  • Educate users to be cautious of suspicious links that may exploit this reflected XSS vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart