Skip to main content

Yaay Social Media App CVE-2025-12008

| EUVDEUVD-2025-209841 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 TR-CERT GHSA-j2gg-fc46-32rv
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 13:16 vuln.today
CVE Published
May 14, 2026 - 12:31 nvd
HIGH 8.8

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Yaay Social Media App: from 3.8.0 through 24102025.

AnalysisAI

Authorization bypass in Yaay Social Media App versions 3.8.0 through 24102025 allows remote unauthenticated attackers to access restricted functionality and data by manipulating user-controlled key parameters. The vulnerability enables unauthorized access to features normally protected by access control lists (ACLs), potentially exposing user data, administrative functions, or content modification capabilities. TR-CERT has disclosed this issue with a CVSS base score of 8.8, requiring user interaction for exploitation. No evidence of active exploitation (not in CISA KEV) or public exploit code has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application accepts user-supplied input as a key to access resources or functionality without properly validating authorization. The affected product, Yaay Social Media App (CPE: cpe:2.3:a:appyap_technology_and_information_inc.:yaay_social_media_app), likely relies on predictable or manipulable identifiers in API requests, URLs, or session tokens that can be modified to access other users' data or administrative endpoints. This represents a broken access control flaw where horizontal or vertical privilege escalation is possible through parameter manipulation, such as changing user IDs, resource identifiers, or role tokens in HTTP requests. The network attack vector (AV:N) indicates the vulnerability is exploitable through standard application interfaces, while low attack complexity (AC:L) suggests no special cryptographic or timing requirements beyond identifying the manipulable parameter.

RemediationAI

Organizations and users should immediately upgrade to a patched version of Yaay Social Media App beyond version 24102025 if available from APPYAP Technology and Information Inc. Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0238 for vendor-specific remediation guidance and confirmed patched versions. Until patches are applied, implement compensating controls including: restrict application access to trusted networks only through network segmentation or VPN requirements (trade-off: reduces usability of mobile social media app); implement web application firewall (WAF) rules to detect and block requests with suspicious parameter manipulation patterns such as sequential ID enumeration or role escalation attempts (trade-off: may generate false positives requiring tuning); enable enhanced logging and monitoring for authorization failures, unusual resource access patterns, or parameter tampering attempts to detect exploitation attempts (trade-off: increased log storage and analysis overhead); educate users to avoid clicking suspicious links within the app that could trigger the user interaction requirement. For enterprise deployments, consider temporarily restricting or blocking application access until vendor patches are confirmed and deployed.

Share

CVE-2025-12008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy