CVE-2026-5798
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
14/05/2026
Last modified:
14/05/2026
Description
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH



