Search criteria
1 vulnerability by Wolters Kluwer Polska
CVE-2026-1493 (GCVE-0-2026-1493)
Vulnerability from cvelistv5 – Published: 2026-04-30 11:24 – Updated: 2026-04-30 13:04
VLAI
Title
Cross-Site Scripting in LEX Baza Dokumentów
Summary
LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely
processes the parameter on the client side, allowing an attacker to execute arbitrary
JavaScript in the context of the victim's browser.
An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.
This issue was fixed in version 1.3.4.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wolterskluwer.com/pl-pl/solutions/lex… | product |
| https://cert.pl/posts/2026/04/CVE-2025-1493 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wolters Kluwer Polska | LEX Baza Dokumentów |
Affected:
0 , < 1.3.4
(semver)
|
Date Public
2026-04-30 09:08
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:04:37.182803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:04:44.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LEX Baza Dokument\u00f3w",
"vendor": "Wolters Kluwer Polska",
"versions": [
{
"lessThan": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marek Figielski (Vanilla.pl)"
}
],
"datePublic": "2026-04-30T09:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LEX Baza Dokument\u00f3w is vulnerable to DOM-based XSS in \"em\"\u0026nbsp;cookie parameter.\u0026nbsp;The application unsafely\nprocesses the parameter on the client side, allowing an attacker to execute arbitrary\nJavaScript in the context of the victim\u0027s browser.\u003cbr\u003eAn attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.3.4."
}
],
"value": "LEX Baza Dokument\u00f3w is vulnerable to DOM-based XSS in \"em\"\u00a0cookie parameter.\u00a0The application unsafely\nprocesses the parameter on the client side, allowing an attacker to execute arbitrary\nJavaScript in the context of the victim\u0027s browser.\nAn attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.\n\nThis issue was fixed in version 1.3.4."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T11:24:30.615Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumentow"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/04/CVE-2025-1493"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting in LEX Baza Dokument\u00f3w",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-1493",
"datePublished": "2026-04-30T11:24:30.615Z",
"dateReserved": "2026-01-27T14:52:25.033Z",
"dateUpdated": "2026-04-30T13:04:44.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}