Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking.
This issue affects E-Commerce Website: before 4.5.001.
AnalysisAI
Authorization bypass in Akilli Commerce E-Commerce Website before 4.5.001 allows remote unauthenticated attackers to hijack user sessions through user-controlled key manipulation. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. Turkish national CERT (TR-CERT) published an advisory, indicating regional significance. No public exploit code or CISA KEV listing identified at time of analysis, but the CVSS 9.8 Critical rating and network-accessible, unauthenticated attack vector suggest this is highly exploitable if the platform is internet-facing.
Technical ContextAI
This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application incorrectly uses user-supplied input as a direct key to authorize access to resources or sessions. In e-commerce platforms, this typically manifests when session identifiers, user IDs, or authorization tokens in cookies, URL parameters, or POST data are not properly validated server-side. The application trusts client-controlled values to determine session ownership, allowing attackers to substitute their own identifiers with those of legitimate users. The affected product is Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website (CPE: cpe:2.3:a:akilli_commerce_software_technologies_ltd._co.:e-commerce_website), a Turkish e-commerce platform. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is a network-accessible vulnerability with low complexity requiring no privileges or user interaction, making it trivially exploitable once the vulnerable parameter is identified.
RemediationAI
Upgrade to Akilli Commerce E-Commerce Website version 4.5.001 or later, as confirmed by TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222). This is the primary and only confirmed fix. If immediate patching is not feasible, implement the following compensating controls with their trade-offs: Deploy a web application firewall (WAF) with custom rules to block suspicious session token patterns in requests (requires signature development and ongoing tuning; may cause false positives for legitimate session management). Implement additional server-side session validation tied to client IP address and User-Agent strings (reduces session hijacking success but breaks legitimate use cases where users change networks or browsers mid-session). Enable strict server-side session binding to prevent cross-session access attempts (most effective mitigation but requires code changes and testing). Restrict administrative and customer account access via VPN or IP allowlisting where operationally feasible (significantly limits exposure but impacts user experience and sales operations). Monitor authentication logs for anomalous session activity such as rapid session switches or geographically inconsistent access patterns (detection only, not prevention; requires SIEM integration and analyst review).
More in E Commerce Website
View allArbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary cod
SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL
A vulnerability has been found in SourceCodester E-Commerce Website 1.0 and classified as critical. Rated medium severit
Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001
SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to e
A vulnerability was determined in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/
A vulnerability was determined in code-projects E-Commerce Website 1.0. The affected element is an unknown function of t
A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/us
A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages
A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows atta
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject ar
A vulnerability has been found in itsourcecode E-Commerce Website 1.0 and classified as critical. Rated medium severity
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30264
GHSA-q88p-27gr-q4g5