CVE-2026-26724 is a Cross Site Scripting (XSS) vulnerability classified under CWE-79, discovered in Key Systems Inc Global Facilities Management Software version 20230721a. The vulnerability exists in the handling of the selectgroup and gn parameters on the /?Function=Groups endpoint. An attacker with at least limited privileges (PR:L) can craft malicious input that, when processed by the vulnerable endpoint, results in arbitrary script execution in the context of the victim's browser. The attack requires user interaction (UI:R), such as clicking a malicious link or visiting a crafted page, and can lead to a complete compromise of confidentiality (C:H), partial integrity loss (I:L), but does not affect availability (A:N). The vulnerability has a CVSS v3.1 base score of 7.6, reflecting its high severity due to network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C). The scope change indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the application or user data. No patches or known exploits are currently available, but the risk remains significant given the nature of XSS attacks, which can be leveraged for session hijacking, credential theft, or delivering further malware.

The exploitation of this XSS vulnerability can lead to unauthorized disclosure of sensitive information, such as session tokens or user credentials, enabling attackers to impersonate legitimate users. This can result in unauthorized access to facilities management data, manipulation of user sessions, and potential lateral movement within an organization's network. The partial integrity impact means attackers might alter some data or user interface elements, misleading users or corrupting information. Although availability is not directly affected, the indirect consequences of compromised accounts or data integrity could disrupt operations. Organizations relying on this software for critical infrastructure management could face operational risks, reputational damage, and compliance violations if exploited. The requirement for user interaction and limited privileges reduces the ease of exploitation but does not eliminate the threat, especially in environments with many users or where phishing is feasible.

Organizations should implement input validation and output encoding on all user-supplied data, particularly the selectgroup and gn parameters, to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough user training to recognize and avoid phishing attempts that could trigger the vulnerability. Monitor web application logs for suspicious requests targeting the vulnerable endpoint. If possible, restrict access to the /?Function=Groups endpoint to trusted users or networks. Since no official patch is available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this vulnerability. Engage with Key Systems Inc for timely updates and patches. Additionally, implement multi-factor authentication to reduce the impact of compromised credentials resulting from XSS attacks.