Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager

Posted date 29/01/2026
Identificador
INCIBE-2026-066
Importance
3 - Medium
Affected Resources
  • planmanager.es.
Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting PlanManager, an open-source live chat platform. The vulnerability was discovered by Fenix08.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2026-1469: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-79
Solution
  • The reported vulnerability is no longer exploitable, as the website planmanager.es was taken down in October 2025.
Detail

CVE-2026-1469: Stored Cross-Site Scripting (XSS) in RLE NOVA's PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the ‘comment’ and ‘brand’ parameters in ‘/index.php’. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

CVE
Explotación
No
Nuevo Fabricante
RLE NOVA
Identificador CVE
CVE-2026-1469
Severidad
Media
References list
PlanManager
Etiquetas