SYS::ONLINE
Wasteland.
Briefs1143
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-2342 2026-07-09

CVE-2026-2342: Critical Stored XSS in OceanicSoft ValeApp

"A critical stored cross-site scripting flaw in OceanicSoft Informatics Systems Ltd.'s ValeApp lets an unauthenticated attacker inject persistent malicious script, carrying a CVSS 3.1 base score of 9.3."

A critical stored cross-site scripting flaw in OceanicSoft Informatics Systems Ltd.'s ValeApp lets an unauthenticated attacker inject persistent malicious script, carrying a CVSS 3.1 base score of 9.3.

What Is It

CVE-2026-2342 is an improper neutralization of input during web page generation ('cross-site scripting') vulnerability, classified as CWE-79, resulting in Stored XSS. Because the malicious input is stored and later served back during web page generation, injected script executes in the browser of any user who views the affected page. The vulnerability was reported by Turkey's national CSIRT (USOM).

Why It Matters

The flaw is rated CRITICAL with a CVSS 3.1 base score of 9.3 (vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N). It is network-exploitable with low attack complexity and requires no privileges, though it does require user interaction. The scope is Changed, and both confidentiality and integrity impacts are High. Stored XSS of this severity can enable session hijacking, credential theft, and unauthorized actions against high-value targets viewing the affected content.

What's Vulnerable

The affected product is OceanicSoft Informatics Systems Ltd. ValeApp. Per the NVD record, the issue affects ValeApp through version 09072026 (all versions up to and including that build). No specific CPE entries are listed in the supplied data.

Patch Status

The supplied data does not indicate an available fix. The NVD note states that the vendor was contacted early about this disclosure but did not respond in any way, leaving no confirmed patch or vendor remediation guidance. This CVE does not appear in the supplied CISA KEV data, so there is no confirmation of active exploitation at this time. The record's vulnerability status is "Received."

Sources