Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting.
This issue affects Geographic Tracking System: before v0.0.2.
AnalysisAI
Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Geographic Tracking System instance must be network-reachable by the attacker on its application port, and the vulnerable response-generating endpoints must be exposed without authentication gating (consistent with PR:N in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N reflects network-reachable, low-complexity, unauthenticated exploitation, and the C:H/I:H rating is unusually high for a CWE-204 footprinting weakness - typically such issues warrant only C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with network access to the Geographic Tracking System sends a series of probe requests - for example, varying user IDs, asset IDs, or authentication parameters - and compares response codes, error messages, body lengths, or response times to enumerate valid identifiers and infer backend state. The harvested information (valid usernames, internal asset IDs, software versions) is then used to plan a follow-on credential-stuffing, social-engineering, or targeted-exploit campaign against the same deployment. … |
| Remediation | Upgrade Geographic Tracking System to version v0.0.2 or later, which the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0325) identifies as the first fixed release - this is the primary and only confirmed fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Geographic Tracking System
View allAuthorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attac
Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34836
GHSA-3765-5f6w-7p86