CVE-2026-22587 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 in the Ideagen DevonWay software platform. The vulnerability exists in the 'Reports' page functionality, where user-supplied input is not properly sanitized or neutralized during web page generation. An authenticated attacker with privileges to create or modify reports can embed malicious JavaScript payloads into report content. When other users view these reports, the embedded scripts execute in their browsers within the context of the DevonWay application. This can lead to session hijacking, unauthorized actions, or data theft depending on the victim's privileges and the attacker's payload. The vulnerability requires the attacker to be authenticated and to convince another user to view the malicious report, thus involving user interaction. The CVSS v3.1 base score is 5.5, reflecting medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacts on confidentiality, integrity, and availability rated as low. The issue was fixed in versions 2.62.4 and 2.62 LTS. No public exploits or widespread attacks have been reported to date. The vulnerability highlights the importance of input validation and output encoding in web applications, especially those handling sensitive organizational data like DevonWay.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive information, session hijacking, or execution of unauthorized actions within the DevonWay platform. This could disrupt business processes, compromise data integrity, and potentially lead to data leakage or unauthorized changes in quality, safety, or compliance management workflows that DevonWay supports. Although the impact is rated medium, organizations in regulated sectors such as manufacturing, aerospace, or healthcare—where DevonWay is often deployed—may face compliance risks and operational disruptions. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or less stringent access controls. The absence of known exploits reduces immediate risk but does not preclude targeted attacks or future exploitation. Overall, the vulnerability could undermine trust in the platform and cause reputational damage if exploited.

1. Immediately upgrade Ideagen DevonWay installations to version 2.62.4 or 2.62 LTS where the vulnerability is fixed. 2. Restrict report creation and editing privileges to trusted users only, minimizing the number of users who can inject malicious content. 3. Implement web application firewall (WAF) rules to detect and block suspicious script payloads in HTTP requests targeting the Reports page. 4. Conduct regular security awareness training for users to recognize suspicious reports or unexpected behavior. 5. Monitor application logs and user activity for unusual report creation or access patterns. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 7. Review and enhance input validation and output encoding practices in any custom integrations or extensions of DevonWay. 8. Coordinate with Ideagen support for any additional security advisories or patches.