Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS.
This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383.
AnalysisAI
Cross-site scripting in Gosoft Proticaret E-Commerce v5.0.0 through v6.0.1767.1383 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted HTTP requests. Despite the 8.8 CVSS score indicating complete compromise (High C/I/A), the CVSS vector reveals this is a reflected XSS requiring user interaction (UI:R), not a stored or blind XSS. The vulnerability is unscoped (S:U), meaning impact is confined to the vulnerable application. No active exploitation confirmed via CISA KEV and no public exploit code identified at time of analysis. TR-CERT advisory available with remediation guidance.
Technical ContextAI
This is a CWE-79 improper input neutralization vulnerability in the web page generation layer of Proticaret E-Commerce, a Turkish e-commerce platform by Gosoft Software Industry and Trade Ltd. Co. The affected CPE string (cpe:2.3:a:gosoft_software_industry_and_trade_ltd._co.:proticaret_e-commerce) identifies a commercial e-commerce solution likely used by Turkish businesses. Reflected XSS occurs when the application accepts user-supplied input (typically URL parameters or form data) and includes it in the HTTP response without proper sanitization, encoding, or validation. This allows attackers to inject malicious JavaScript that executes in the context of the victim's browser session. The vulnerability spans multiple major versions (v5.x through early v6.x builds), suggesting a persistent input handling flaw in the application's templating or output rendering logic rather than an isolated code defect.
RemediationAI
Upgrade Proticaret E-Commerce to version 6.0.1767.1383 or later, which addresses the input neutralization vulnerability per the NVD version range data. Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0180 for official vendor patch instructions and deployment notes. If immediate upgrade is not feasible, implement defense-in-depth controls: deploy a Web Application Firewall (WAF) with XSS signature detection to filter malicious input patterns (trade-off: potential false positives blocking legitimate requests; requires tuning for e-commerce workflows). Enable Content Security Policy (CSP) headers with restrictive script-src directives to prevent inline JavaScript execution (trade-off: may break legitimate functionality if the application uses inline scripts; requires testing). Educate users to avoid clicking untrusted links to the e-commerce platform and verify URLs before authentication. Review application logs for suspicious parameter patterns (e.g., script tags, JavaScript event handlers in URL parameters) to detect exploitation attempts. Note that these mitigations reduce but do not eliminate risk - patching to version 6.0.1767.1383+ is the authoritative remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28349
GHSA-p86h-jj99-f63w