Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS requires no privileges or special configuration, scope changes as injected script affects browser context beyond the origin page, and mandatory user interaction (UI:R) limits attacker control over triggering.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS.
This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.
AnalysisAI
Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (PR:N) confirms no authentication is required to craft and deliver the attack payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 score (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects moderate severity: the attack is network-reachable with low complexity and requires no privileges, but depends on user interaction (UI:R) to deliver the reflected payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an unsanitized parameter in a Destekz page that reflects user input directly into the HTTP response and constructs a URL embedding a JavaScript payload such as a cookie-stealing script. The attacker distributes the crafted URL through phishing email or social engineering targeting users of the affected application. … |
| Remediation | No vendor-released patch identified at time of analysis, and none is expected given the vendor's confirmed statement that Destekz is no longer supported. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41527
GHSA-m2vv-wr2h-x573