CVE-2026-22198 MEDIUM

CVE-2026-22198: GestSup < 3.2.60 Stored XSS in API Error Logs

Vendor Gestsup
Product GestSup
Weakness CWE-79 · XSS
Published January 9, 2026
Last update March 5, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.

Key dates

02Disclosure timeline

January 9, 2026 CVE published
March 5, 2026 Record updated