CVE-2026-22322 HIGH

CVE-2026-22322: Stored Cross‑Site Scripting in Link Aggregation Name Handling

Vendor Phoenix Contact
Product FL SWITCH 2005
Weakness CWE-79 · XSS
Published March 18, 2026
Last update March 18, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

A stored cross‑site scripting (XSS) vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to create a trunk entry containing malicious HTML/JavaScript code. When the affected page is viewed, the injected script executes in the context of the victim’s browser, enabling unauthorized actions such as interface manipulation. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

Key dates

02Disclosure timeline

March 18, 2026 CVE published
March 18, 2026 Record updated