Skip to main content

AKIN E-Commerce CVE-2026-10857

| EUVDEUVD-2026-38445 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-23 TR-CERT GHSA-ch8h-w2pf-cfh9
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-accessible reflected XSS needing no attacker auth (PR:N), but UI:R for victim click; S:C for browser-context scope change; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 14:17 EUVD
Analysis Generated
Jun 23, 2026 - 13:12 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS.

This issue affects e-Commerce: before 1.25.01.06.

AnalysisAI

Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into following a crafted URL. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable exploitation requiring no authentication, with a scope change indicating script execution in the browser context outside the originating document. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify vulnerable e-Commerce parameter
Delivery
Craft malicious URL with XSS payload
Exploit
Deliver URL to target user via phishing or redirect
Install
Victim clicks link, browser sends crafted request
C2
Server reflects unencoded input in HTML response
Execute
Injected script executes in victim browser
Impact
Exfiltrate session token or perform action on victim's behalf

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively interact with a crafted URL containing the XSS payload - the attacker must deliver this URL via phishing, advertising injection, or redirect and persuade the target to click it (UI:R per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium score is consistent with the practical ceiling for reflected XSS without stored persistence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a vulnerable input parameter in the AKIN E-Commerce application that reflects unsanitized content into the HTML response, then crafts a URL embedding a JavaScript payload (e.g., a cookie-stealing script). The attacker delivers this URL to a logged-in shopper or store administrator via phishing email or malicious link. …
Remediation Upgrade AKIN Software E-Commerce to version 1.25.01.06 or later, as confirmed in the CVE description and TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0427. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy