HIGHCVE-2026-5798Published Modified CNA INCIBE
CVE-2026-5798: Unsafe Object Reference (IDOR) vulnerability in Stel Order
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Stel Order / Stel Order≤ 3.25.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences