Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS.
This issue affects CityPLus: before V24.29750.1.0.
AnalysisAI
Reflected cross-site scripting in Beyaz Computer Software's CityPLus application (versions before V24.29750.1.0) allows remote attackers to inject malicious script into web responses that execute in a victim's browser after the victim clicks a crafted link. The CVSS 7.6 score is elevated by a High Availability impact, suggesting the XSS payload can crash or render the application unusable beyond typical session-theft outcomes. No public exploit identified at time of analysis and the issue was reported by TR-CERT (Turkey's national CERT).
Technical ContextAI
The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical root cause for XSS. CityPLus, identified by CPE cpe:2.3:a:beyaz_computer_software_design_industry_and_trade_ltd._co.:cityplus, is a web-based application produced by the Turkish vendor Beyaz Bilgisayar; the reflected variant indicates that user-supplied input (typically via query string or form parameter) is echoed back into the rendered HTML response without sufficient encoding or sanitization, allowing attacker-controlled script to execute in the browsing context of any user who follows a malicious link.
RemediationAI
Upgrade CityPLus to version V24.29750.1.0 or later, which is the fixed release identified in the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0263). Until the upgrade is deployed, deploy a web application firewall ruleset that blocks common reflected-XSS payload patterns (script tags, javascript: URIs, event handlers) on CityPLus request parameters, and enforce a strict Content-Security-Policy response header disallowing inline scripts to reduce execution impact - note that aggressive CSP rules may break legitimate CityPLus client-side functionality and should be tested first. User-awareness training to avoid clicking unsolicited CityPLus links from untrusted sources is a complementary control given the UI:R requirement.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31122
GHSA-q787-v8vf-vc3c