CVE-2026-26724 is a Cross Site Scripting (XSS) vulnerability identified in Key Systems Inc Global Facilities Management Software, version 20230721a. The vulnerability resides in the /?Function=Groups endpoint, specifically within the selectgroup and gn parameters, which fail to properly sanitize user-supplied input. This allows a remote attacker to inject malicious scripts that execute in the context of the victim's browser when they access the vulnerable endpoint. The attack vector is remote and does not require user authentication or interaction beyond visiting a crafted URL. The absence of proper input validation and output encoding leads to the execution of arbitrary JavaScript code, which can be used to steal session cookies, perform actions on behalf of the user, or deliver further payloads such as malware. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and can be weaponized by attackers targeting organizations using this software. The lack of a CVSS score suggests the need for manual severity assessment, considering the potential confidentiality and integrity impacts, ease of exploitation, and scope of affected systems. The vulnerability affects a specialized facilities management platform, which is likely deployed in environments managing physical assets and infrastructure, increasing the risk of operational disruption or data compromise if exploited.

The impact of CVE-2026-26724 on organizations worldwide can be significant, especially for those relying on Key Systems Inc Global Facilities Management Software to manage critical infrastructure and facilities. Successful exploitation can lead to the execution of arbitrary scripts in users' browsers, enabling attackers to hijack sessions, steal credentials, or manipulate user actions. This compromises confidentiality by exposing sensitive user data and operational information. Integrity may be affected if attackers perform unauthorized actions through the victim's session. While availability is less directly impacted, the resulting trust erosion and potential for further attacks could disrupt normal operations. Organizations with large user bases or those integrating this software into broader enterprise systems face increased risk of lateral movement or data leakage. The vulnerability's remote exploitability without authentication makes it an attractive target for attackers seeking initial access or footholds within organizational networks.

To mitigate CVE-2026-26724, organizations should implement strict input validation and output encoding on the selectgroup and gn parameters within the /?Function=Groups endpoint to prevent injection of malicious scripts. Applying context-aware encoding (e.g., HTML entity encoding) before rendering user input in the browser is critical. If a patch or update from Key Systems Inc becomes available, it should be applied promptly. In the absence of an official patch, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting these parameters. Conduct regular security assessments and penetration tests focusing on XSS vulnerabilities in the application. Educate users about the risks of clicking on suspicious links and implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Additionally, monitor logs for unusual access patterns to the vulnerable endpoint and establish incident response procedures to quickly address potential exploitation attempts.