CVE-2026-5798

UNKNOWN 0.0

Unsafe Object Reference (IDOR) vulnerability in Stel Order

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.

CWE	CWE-639
Vendor	stel order
Product	stel order
Published	May 14, 2026
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for stel order stel order

Be the first to know when new unknown vulnerabilities affecting stel order stel order are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Stel Order / Stel Order

0 ≤ 3.25.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order

Credits

Manuel Gomez Argandoña