Skip to main content

Mezunum Satiyorum CVE-2026-3251

| EUVDEUVD-2026-42953 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 TR-CERT GHSA-q58p-r45f-cjqp
6.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim page load (UI:R per CVSS guidance); PR:L confirmed; S:C and C:L/I:L reflect browser context impact with no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 17:37 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webremium Istanbul Web Design Mezunum Satiyorum allows Stored XSS.

This issue affects Mezunum Satiyorum: from 1.2.504 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting in Mezunum Satiyorum (versions 1.2.504 through 10072026) allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages served to other users. The scope change (S:C) in the CVSS vector confirms the payload executes in the victim's browser context, enabling session hijacking, credential theft, or malicious redirects against any user who loads the affected page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged application account
Delivery
Identify unsanitized stored input field
Exploit
Inject persistent XSS payload
Execution
Victim user loads affected page
Persist
Browser executes attacker script
Impact
Exfiltrate session token or perform authenticated actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privileged account on the Mezunum Satiyorum application (PR:L per CVSS vector) sufficient to submit or modify content that is subsequently stored and rendered to other users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.4 (Medium) accurately captures a constrained but real threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged account - such as a registered user or content contributor - injects a malicious JavaScript payload (e.g., a cookie-stealing script calling an attacker-controlled endpoint) into a content field that is stored and later rendered without encoding. When an administrative user or another victim browses to the affected page, their browser executes the payload, silently transmitting their session token to the attacker who then hijacks the authenticated session. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to TR-CERT's coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy