Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-accessible reflected XSS needing no attacker auth (PR:N), but UI:R for victim click; S:C for browser-context scope change; no availability impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS.
This issue affects e-Commerce: before 1.25.01.06.
AnalysisAI
Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively interact with a crafted URL containing the XSS payload - the attacker must deliver this URL via phishing, advertising injection, or redirect and persuade the target to click it (UI:R per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium score is consistent with the practical ceiling for reflected XSS without stored persistence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a vulnerable input parameter in the AKIN E-Commerce application that reflects unsanitized content into the HTML response, then crafts a URL embedding a JavaScript payload (e.g., a cookie-stealing script). The attacker delivers this URL to a logged-in shopper or store administrator via phishing email or malicious link. … |
| Remediation | Upgrade AKIN Software E-Commerce to version 1.25.01.06 or later, as confirmed in the CVE description and TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0427. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in E Commerce
View allMultiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to e
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mAyaNet E-Commerce
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote a
An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, ca
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update
SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cros
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yaztek Software Te
A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). Rated medium seve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38445
GHSA-ch8h-w2pf-cfh9