CVE-2026-22198 PUBLISHED

GestSup < 3.2.60 Stored XSS in API Error Logs

Assigner: VulnCheck
Reserved: 06.01.2026 Published: 09.01.2026 Updated: 14.01.2026

GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	GestSup
Product	GestSup
Versions	Default: unknown affected from 0 to 3.2.60 (excl.)

Credits

Geoffrey Robert and Valentin Holubec of Akailabs finder
VulnCheck coordinator

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE