CVE-2026-22587 | THREATINT

Description

Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-08 | Updated 2026-01-08 | Assigner cisa-cg

MEDIUM: 5.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unknown

Any version before 2.62.4

affected

2.62 LTS

unaffected

2.62.4

unaffected

Credits

Fernando Martinez, Trevor La Pay, George Thompson, Natalie Runyan, Sandia National Laboratories

References

raw.githubusercontent.com/...IT/white/2025/va-26-008-03.json (url)

www.cve.org/CVERecord?id=CVE-2026-22587 (url)

cve.org (CVE-2026-22587)

nvd.nist.gov (CVE-2026-22587)

Download JSON