{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30082", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T15:27:54.529Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:58:38.644Z"}, "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://ingestate.com"}, {"url": "https://ingenico.com/"}, {"url": "https://github.com/Cr0wld3r/CVE-2026-30082"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:27:27.396729Z", "id": "CVE-2026-30082", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:27:54.529Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30082", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:27:27.396729Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:27:49.269Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://ingestate.com"}, {"url": "https://ingenico.com/"}, {"url": "https://github.com/Cr0wld3r/CVE-2026-30082"}], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T14:58:38.644Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30082", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:27:54.529Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) almacenadas en la funci\u00f3n de Edici\u00f3n de la p\u00e1gina de Lista de Paquetes de Software de IngEstate Server v11.14.0 permiten a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyecci\u00f3n de una carga \u00fatil manipulada en los par\u00e1metros About application, What's news o Release note."}], "id": "CVE-2026-30082", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T15:16:26.320", "references": [{"source": "cve@mitre.org", "url": "http://ingestate.com"}, {"source": "cve@mitre.org", "url": "https://github.com/Cr0wld3r/CVE-2026-30082"}, {"source": "cve@mitre.org", "url": "https://ingenico.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "11.14.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "ingestate_server", "vendor": "ingestate"}], "analysis": {"en": {"generated_at": "2026-03-30T17:54:24.398981+00:00", "value": {"mitigation_remediation": ["Apply the latest IngEstate Server update that addresses the stored XSS in the Software Package List Edit feature as soon as it becomes available.", "If a patch is not yet released, restrict or disable the Edit functionality for all users or enforce strict input sanitization on the About application, What\u2019s news, and Release note fields to strip or escape HTML tags.", "Deploy a web application firewall rule or content\u2011security\u2011policy header that blocks or sanitizes suspicious script tags on the Software Package List page.", "Monitor user accounts for signs of session hijack or credential theft and reset passwords if compromise is suspected."], "summary": {"action": "Patch", "impact": "Cross-site scripting allows arbitrary script execution in the web UI"}, "threat_synthesis": {"affected_systems": "The affected system is IngEstate Server, specifically version\u202f11.14.0. The bug resides in the Edit functionality of the Software Package List page, where inputs for About application, What\u2019s news, and Release notes are not properly sanitized before rendering.\nNo other vendors or products are listed. The scope is confined to this application version and feature set.\n\n", "description_and_impact": "The vulnerability exposes multiple stored cross\u2011site scripting weaknesses in the Edit feature of the Software Package List page of IngEstate Server v11.14.0. Attackers can embed malicious scripts or HTML into the About application, What\u2019s news, or Release note fields, causing the browser to execute the injected code when the page is viewed by any user. This can lead to session hijacking, credential theft, or malicious actions carried out in the client\u2019s browser context.\nThe impact is limited to users who view the affected page, but because the payload is stored, any authenticated user who accesses the page may be compromised.\nThe weakness is a classic stored XSS (CWE\u201179) that does not require additional user interaction beyond viewing the page.", "risk_and_exploitability": "The CVSS score of\u202f6.1 reflects moderate severity; the vulnerability is not in the CISA KEV catalog. Exploitation is likely to require a user with access to the web interface to edit the Software Package List and inject a crafted payload. Once stored, the attacker can rely on end users visiting the page to trigger the payload, so the risk is primarily to confidentiality and integrity of user sessions and to the trust of the web UI. The expected attack vector is via the web interface, and no additional network or local privilege escalation is required."}}}}, "created": "2026-03-30T20:56:35.163587+00:00", "title": "Stored Cross\u2011Site Scripting in IngEstate Server Software Package List Edit Feature", "updated": "2026-04-03T09:11:44.958827+00:00", "vendors": ["ingestate", "ingestate$PRODUCT$ingestate_server"]}