CVE-2026-22198

UNKNOWN 0.0

GestSup < 3.2.60 Stored XSS in API Error Logs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.

CWE	CWE-79
Vendor	gestsup
Product	gestsup
Published	Jan 9, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for gestsup gestsup

Be the first to know when new unknown vulnerabilities affecting gestsup gestsup are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GestSup / GestSup

0 < 3.2.60

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gestsup.fr: https://gestsup.fr/index.php?page=changelog vulncheck.com: https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs

Credits

Geoffrey Robert and Valentin Holubec of Akailabs VulnCheck