CVE-2026-1493: XSS in LEX Baza Dokumentów
Platform
javascript
Component
lex-baza-dokument-w
Fixed in
1.3.4
CVE-2026-1493 describes a DOM-based Cross-Site Scripting (XSS) vulnerability discovered in LEX Baza Dokumentów. This vulnerability allows an attacker to inject and execute malicious JavaScript code within the context of a user's browser by manipulating the "em" cookie parameter. The vulnerability impacts versions 0.0.0 through 1.3.4, and a security patch is available in version 1.3.4.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-1493 allows an attacker to execute arbitrary JavaScript code in the victim's browser. While the vendor assesses the impact and risk of exploitation as minimal, this could still lead to session hijacking, defacement of the application, or redirection to malicious websites. An attacker who can control the 'em' cookie parameter can leverage this vulnerability to perform more severe attacks, potentially gaining unauthorized access to sensitive data or performing actions on behalf of the victim. The ability to inject JavaScript opens the door to a wide range of malicious activities, depending on the attacker's goals and the privileges associated with the user's session.
Exploitation Context
CVE-2026-1493 was published on 2026-04-30. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's severity is pending evaluation. No known active campaigns targeting this vulnerability have been reported.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-1493 is to upgrade to version 1.3.4 or later of LEX Baza Dokumentów. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the server-side to prevent malicious JavaScript code from being injected into the 'em' cookie parameter. While a direct workaround is not available, employing a Web Application Firewall (WAF) with rules to detect and block suspicious cookie manipulation attempts can provide an additional layer of defense. Regularly review and update your WAF rules to ensure they are effective against emerging threats.
How to fix
Actualice a la versión 1.3.4 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de validar y escapar correctamente los datos proporcionados por el usuario, especialmente los parámetros de cookie, antes de procesarlos en el lado del cliente.
Frequently asked questions
What is CVE-2026-1493 — XSS in LEX Baza Dokumentów?
CVE-2026-1493 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting LEX Baza Dokumentów versions 0.0.0 through 1.3.4. It allows attackers to execute JavaScript via the 'em' cookie parameter.
Am I affected by CVE-2026-1493 in LEX Baza Dokumentów?
You are affected if you are using LEX Baza Dokumentów versions 0.0.0 through 1.3.4 and the 'em' cookie parameter is not properly validated.
How do I fix CVE-2026-1493 in LEX Baza Dokumentów?
Upgrade to version 1.3.4 or later of LEX Baza Dokumentów. Implement server-side input validation and sanitization as an interim measure.
Is CVE-2026-1493 being actively exploited?
No active campaigns targeting CVE-2026-1493 have been reported as of the publication date.
Where can I find the official LEX Baza Dokumentów advisory for CVE-2026-1493?
Refer to the vendor's official security advisory for details and updates regarding CVE-2026-1493.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...