CVE-2026-26723 is a Cross Site Scripting (XSS) vulnerability classified under CWE-79, affecting Key Systems Inc Global Facilities Management Software version 20230721a. The vulnerability arises from improper sanitization of the 'function' parameter, which allows remote attackers to inject and execute arbitrary scripts in the context of the victim's browser. This can be exploited by crafting malicious URLs or payloads that, when visited or triggered by a user, execute attacker-controlled code. The vulnerability requires user interaction but no authentication, increasing the attack surface. The CVSS 3.1 base score of 8.2 indicates a high severity due to network accessibility, low attack complexity, and the ability to affect confidentiality with a scope change. The impact primarily concerns confidentiality, as attackers can steal session tokens, credentials, or perform actions on behalf of users. Integrity impact is limited but present, while availability is unaffected. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability's characteristics make it a likely target for exploitation once weaponized. The vulnerability affects organizations using this specific facilities management software, which is typically deployed in environments managing physical assets and infrastructure. Attackers could leverage this vulnerability to conduct phishing, session hijacking, or deliver malware payloads, potentially leading to broader network compromise or data leakage.

The primary impact of CVE-2026-26723 is on confidentiality, as successful exploitation allows attackers to execute arbitrary scripts in users' browsers, potentially stealing sensitive information such as session cookies, credentials, or personal data. This can lead to unauthorized access to user accounts or internal systems. The integrity impact is limited but includes the possibility of attackers manipulating displayed content or performing unauthorized actions on behalf of users. Availability is not directly affected by this vulnerability. Organizations using the affected software may face data breaches, reputational damage, and compliance violations if exploited. Given the software's role in facilities management, attackers might gain footholds to pivot into critical infrastructure systems, increasing the risk of operational disruptions or espionage. The requirement for user interaction means social engineering or phishing campaigns could be used to trigger the exploit, broadening the attack vector. The lack of current known exploits suggests a window for proactive mitigation, but the high CVSS score indicates urgency in addressing the vulnerability.

1. Implement strict input validation and output encoding on the 'function' parameter and all user-supplied inputs to prevent injection of malicious scripts. 2. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Educate users to recognize and avoid suspicious links or unexpected interactions that could trigger XSS attacks. 4. Monitor web application logs and network traffic for unusual patterns indicative of exploitation attempts. 5. Isolate the affected application within network segments to limit lateral movement if compromised. 6. Engage with Key Systems Inc to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Employ web application firewalls (WAF) with rules targeting XSS attack patterns to provide an additional layer of defense. 8. Conduct regular security assessments and penetration testing focusing on input validation and client-side security controls. 9. Review and update incident response plans to include scenarios involving XSS exploitation and data exfiltration. 10. Limit user privileges and session lifetimes to reduce the impact of stolen credentials or session tokens.