CVE-2026-6953
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
An HTML injection vulnerability has been discovered in Intermark IT's WebControl CMS v3.5. An attacker can send an email containing malicious HTML code to a victim via the contact form. Exploitation requires sending a request with the 'nombreApellidos', 'dirección', and 'comentarios' parameters to '/processContact.do'.
Risk Assessment
The risk involves potential phishing attacks or credential theft by embedding malicious HTML code in an email sent from a trusted CMS system.
Recommendation
Immediately update WebControl CMS to the latest version and implement input filtering and output encoding for all contact form parameters.
Original NVD description (English source)
HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'.

