CVE-2026-1434 is a reflected Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in the Omega-PSIR software developed by Politechnika Warszawska. The vulnerability exists due to improper neutralization of user-supplied input in the 'lang' parameter during web page generation. An attacker can exploit this by crafting a malicious URL containing JavaScript code embedded in the 'lang' parameter. When a victim opens this URL, the injected script executes within their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. This vulnerability affects Omega-PSIR version 4.5.9 and was addressed in version 4.6.7. The CVSS 4.0 vector indicates that the attack can be performed remotely over the network without authentication, requires low attack complexity, and user interaction is necessary (clicking the malicious link). The vulnerability does not impact confidentiality, integrity, or availability directly but can lead to secondary attacks that compromise these aspects. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on January 26, 2026, and published on February 27, 2026, by CERT-PL. The scope is limited to the Omega-PSIR product, which is used primarily in academic and research environments.

The primary impact of CVE-2026-1434 is the potential execution of arbitrary JavaScript in the context of the victim’s browser, which can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, and phishing attacks. This can undermine user trust and lead to data breaches or unauthorized access to internal resources if the victim is an authenticated user. While the vulnerability does not directly affect system availability or integrity, the indirect consequences can be severe, especially in environments handling sensitive research data or personal information. Organizations using vulnerable versions of Omega-PSIR risk exposure to targeted attacks, especially if users are tricked into clicking malicious links. The medium CVSS score reflects the moderate risk due to the requirement for user interaction and the limited scope of impact. However, in high-security environments, even reflected XSS can be leveraged as part of a larger attack chain.

1. Upgrade Omega-PSIR to version 4.6.7 or later, where the vulnerability is fixed. 2. Implement strict input validation and output encoding on all user-supplied parameters, especially the 'lang' parameter, to prevent injection of executable scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Educate users about the risks of clicking on suspicious or unsolicited links, particularly those that appear to manipulate URL parameters. 5. Monitor web application logs for unusual URL patterns or repeated attempts to exploit the 'lang' parameter. 6. Use web application firewalls (WAFs) configured to detect and block reflected XSS payloads targeting Omega-PSIR. 7. Conduct regular security assessments and penetration testing focusing on input validation and XSS vulnerabilities. 8. Apply security patches promptly and maintain an up-to-date inventory of software versions in use.