Multiple vulnerabilities in Intermark IT's WebControl CMS
Posted date 29/06/2026
Identificador
INCIBE-2026-462
Importance
3 - Medium
Affected Resources
WebControl CMS.
Description
INCIBE has coordinated the disclosure of two medium-severity vulnerabilities affecting Intermark IT’s WebControl CMS, a versatile and secure web content management solution. The vulnerabilities were discovered by Erik Villegas.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2026-6953 y CVE-2026-6954: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-79
Solution
No solution has been reported at this time.
Detail
- CVE-2026-6953: HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'.
- CVE-2026-6954: a Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-6953 | Media | No | Intermark IT |
| CVE-2026-6954 | Media | No | Intermark IT |
References list
Etiquetas
