Insecure Object Reference in Stel Order Affects User Data Security
CVE-2026-5798

7.1HIGH

Key Information:

Vendor: Stel Order
Status: Stel Order
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-5798?

An insecure object reference vulnerability allows authenticated attackers to manipulate the 'employeeID' parameter in requests made to the '/app/FrontController' endpoint of Stel Order. This manipulation can potentially allow unauthorized access to sensitive employee information, such as names, roles, job titles, and vacation records. Users of Stel Order versions v3.25.1 and earlier are advised to take immediate action to mitigate risks and protect their data.

Affected Version(s)

Stel Order 0 <= 3.25.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Manuel Gomez Argandoña

CVE-2026-5798 Data

JSON