e-BAP Automation CVE-2025-10876
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Cross-Site Scripting (XSS).
This issue affects e-BAP Automation: from 1.8.96 before v.41815.
AnalysisAI
Cross-site scripting in Talent Software e-BAP Automation (versions 1.8.96 through pre-v.41815) allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages served by the application. The CVSS vector assigns UI:N (no user interaction required), which is atypical for XSS and may suggest a stored or persistent injection variant that auto-executes rather than a reflected type requiring a victim to click a crafted link. No public exploit identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation interest; however, the unauthenticated network exposure warrants patching in internet-facing deployments.
Technical ContextAI
e-BAP Automation is a business process automation platform developed by Talent Software, a Turkish software vendor. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is incorporated into HTML output without adequate encoding or sanitization, enabling script injection. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates network reachability, low attack complexity, no required privileges, and - notably - no victim user interaction, which distinguishes this from typical reflected XSS. No CPE string was provided in the source data; the affected product and version range are derived solely from the NVD description and Turkish USOM advisory TR-25-0434. Impact is scoped to confidentiality only (C:L), consistent with session token or credential harvesting rather than data modification or service disruption.
Affected ProductsAI
Talent Software e-BAP Automation is affected from version 1.8.96 up to but not including v.41815. No CPE string was provided in the source data; the version range is as reported by Turkish USOM in advisory TR-25-0434, available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0434 and https://www.usom.gov.tr/bildirim/tr-25-0434. Installations running any version in this range on any supported platform should be treated as affected.
RemediationAI
The primary fix is upgrading e-BAP Automation to version v.41815 or later, as documented in Turkish USOM advisory TR-25-0434 (https://www.usom.gov.tr/bildirim/tr-25-0434). Vendor-released patch: v.41815. If immediate upgrade is not feasible, compensating controls include deploying a web application firewall (WAF) with XSS filtering rules in front of the e-BAP Automation interface, which reduces injection success rates but does not eliminate the underlying flaw and may cause false positives on legitimate input. Additionally, restricting network access to the application to trusted internal IP ranges reduces exposure for the AV:N attack vector. If UI:N is confirmed accurate (stored XSS), review application logs for anomalous input submissions to user-editable fields as an interim detection measure. Contact Talent Software support to confirm whether v.41815 is available for your deployment and to obtain the upgrade package.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today