Platform
php
Component
web-totum
Fixed in
2026.0.1
CVE-2026-6743 describes a cross-site scripting (XSS) vulnerability discovered in WebSystems WebTOTUM 2026. This flaw impacts the Calendar component, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability is rated as LOW severity and affects version 2026. A fixed version has been released by the vendor, and upgrading is the recommended solution.
Successful exploitation of CVE-2026-6743 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including stealing session cookies, redirecting users to phishing sites, defacing the website, or injecting malware. The impact is particularly severe if the Calendar component is used to display user-supplied data, as this data could be manipulated to inject malicious scripts. While the CVSS score is LOW, the potential for session hijacking and data theft warrants prompt remediation.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been reported, the availability of the CVE details and potential for easy exploitation makes it a target for opportunistic attackers. The vendor responded promptly and released a fix, indicating a commitment to security. This vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6743 is to upgrade WebSystems WebTOTUM to the fixed version. The vendor has released a patch to address the vulnerability. If immediate upgrading is not possible, consider implementing input validation and output encoding on the Calendar component to sanitize user-supplied data. Web application firewalls (WAFs) with XSS filtering rules can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the Calendar component and verifying that it is properly sanitized.
Update the Calendar component to the fixed version provided by the WebSystems vendor. Consult the vendor's documentation or website for specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6743 is a cross-site scripting (XSS) vulnerability in WebSystems WebTOTUM 2026's Calendar component, allowing attackers to inject malicious scripts.
If you are using WebSystems WebTOTUM 2026, you are potentially affected. Upgrade to the fixed version to mitigate the risk.
Upgrade WebSystems WebTOTUM to the latest fixed version. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
While no active campaigns have been confirmed, the public disclosure increases the risk of exploitation.
Refer to the WebSystems website or contact their support for the official advisory regarding CVE-2026-6743.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.