Full Report
Reflected XSS vulnerability (CVE-2026-1434) has been found in Omega-PSIR software.
Analysis Summary
# Vulnerability: Reflected Cross-Site Scripting (XSS) in Omega-PSIR
## CVE Details
- **CVE ID:** CVE-2026-1434
- **CVSS Score:** Not explicitly rated in source (Typically 6.1 Moderate for Reflected XSS)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products:** Omega-PSIR (Institutional Research Management System)
- **Versions:** 4.5.9 through 4.6.6
- **Configurations:** Web-facing instances utilizing the language switching functionality.
## Vulnerability Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Omega-PSIR software due to improper neutralization of user-supplied input. Specifically, the application fails to adequately sanitize the `lang` parameter. An attacker can inject malicious scripts into this parameter, which are then "reflected" back to the user's browser as part of the web page generation.
## Exploitation
- **Status:** Coordinated disclosure (PoC exists but not reported as exploited in the wild).
- **Complexity:** Low
- **Attack Vector:** Network (Remote) - Requires a victim to click a specially crafted URL.
## Impact
- **Confidentiality:** Moderate (Potential theft of session cookies or sensitive data displayed on the page)
- **Integrity:** Moderate (Ability to modify the content of the page as seen by the user)
- **Availability:** Low (Possible disruption of user session)
## Remediation
### Patches
- **Update to Version 4.6.7:** This version contains the official fix for the input neutralization flaw.
### Workarounds
- No specific software workarounds provided. Users are encouraged to update to the patched version immediately.
- General mitigation: Implement a Content Security Policy (CSP) to restrict scripts from unauthorized sources.
## Detection
- **Indicators of Compromise:** Web server logs showing unusual or encoded JavaScript payloads (e.g., `<script>`, `alert`, or obfuscated strings) within the `lang` URL parameter.
- **Detection methods:** Use of Web Application Firewalls (WAF) to detect and block XSS attack patterns in incoming HTTP GET requests.
## References
- **Vendor advisory:** hxxps[://]cert[.]pl/en/posts/2026/02/cvd-2026-1434/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-1434
- **CWE-79 Info:** hxxps[://]cwe[.]mitre[.]org/data/definitions/79[.]html