Skip to main content

CityPLus CVE-2026-5783

| EUVDEUVD-2026-31122 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 TR-CERT GHSA-q787-v8vf-vc3c
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 16:00 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS.

This issue affects CityPLus: before V24.29750.1.0.

AnalysisAI

Reflected cross-site scripting in Beyaz Computer Software's CityPLus application (versions before V24.29750.1.0) allows remote attackers to inject malicious script into web responses that execute in a victim's browser after the victim clicks a crafted link. The CVSS 7.6 score is elevated by a High Availability impact, suggesting the XSS payload can crash or render the application unusable beyond typical session-theft outcomes. No public exploit identified at time of analysis and the issue was reported by TR-CERT (Turkey's national CERT).

Technical ContextAI

The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical root cause for XSS. CityPLus, identified by CPE cpe:2.3:a:beyaz_computer_software_design_industry_and_trade_ltd._co.:cityplus, is a web-based application produced by the Turkish vendor Beyaz Bilgisayar; the reflected variant indicates that user-supplied input (typically via query string or form parameter) is echoed back into the rendered HTML response without sufficient encoding or sanitization, allowing attacker-controlled script to execute in the browsing context of any user who follows a malicious link.

RemediationAI

Upgrade CityPLus to version V24.29750.1.0 or later, which is the fixed release identified in the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0263). Until the upgrade is deployed, deploy a web application firewall ruleset that blocks common reflected-XSS payload patterns (script tags, javascript: URIs, event handlers) on CityPLus request parameters, and enforce a strict Content-Security-Policy response header disallowing inline scripts to reduce execution impact - note that aggressive CSP rules may break legitimate CityPLus client-side functionality and should be tested first. User-awareness training to avoid clicking unsolicited CityPLus links from untrusted sources is a complementary control given the UI:R requirement.

Share

CVE-2026-5783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy