Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Stel Order

Posted date 14/05/2026
Identificador
INCIBE-2026-351
Importance
4 - High
Affected Resources

Stel Order platform, versions 3.25.1 and earlier.

Description

INCIBE has coordinated the disclosure of two high- and medium-severity vulnerabilities affecting the Stel Order platform, a comprehensive cloud-based management software. The vulnerabilities were discovered by Manuel Gomez Argandoña and David Padilla Alvarado, respectively.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2026-5798: CVSS v4.0 7.1 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-639
  • CVE-2026-5790: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
  • Regarding CVE-2026-5798, the authorization controls associated with operations that accept 'employeeID' have been strengthened and verified, particularly in the following areas:
    • backend permission validation;
    • verification of the company/account scope;
    • distinction between administrator profiles and users without global permissions;
    • review of query and modification operations related to employees. 
  • Regarding CVE-2026-5790, it has been confirmed that the vulnerability was resolved in August 2025 and is no longer exploitable in current versions.
Detail
  • CVE-2026-5798: unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
  • CVE-2026-5790: stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
     
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-5790 Media No Stel Order
CVE-2026-5798 Alta No Stel Order
References list
Stel Order website
Etiquetas