CVE-2026-6954
Received Received - Intake

Reflected XSS in WebControl CMS v3.5

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-6954
EUVD
EUVD-2026-40271

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
intermark_it webcontrol_cms 3.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in Intermark IT's WebControl CMS version 3.5. It occurs because the application improperly handles the 'urlDestino' parameter in the '/portal.do' endpoint, allowing an attacker to inject malicious JavaScript code or a dynamic iframe into a victim's browser.

By exploiting this vulnerability, an attacker can execute arbitrary scripts in the context of the victim's browser session.

Impact Analysis

This vulnerability can have several impacts on users and systems:

  • Stealing sensitive user data such as session cookies.
  • Displaying phishing interfaces to trick users into revealing confidential information.
  • Performing unauthorized actions on behalf of the user without their consent.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart