CVE-2026-5798 | THREATINT

Description

Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.

PUBLISHED Reserved 2026-04-08 | Published 2026-05-14 | Updated 2026-05-14 | Assigner INCIBE

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status

unknown

Any version

affected

Credits

Manuel Gomez Argandoña finder

References

www.incibe.es/...s/aviso/multiple-vulnerabilities-stel-order

cve.org (CVE-2026-5798)

nvd.nist.gov (CVE-2026-5798)

Download JSON