Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable ACL bypass requires only a low-privilege account; no integrity or availability impact described.
Primary rating from Vendor (usom).
CVSS VectorVendor: usom
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Nomysem: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid low-privilege authenticated session on the Nomysem platform, as confirmed by the CVSS PR:L metric - unauthenticated attackers cannot directly exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 6.5 (Medium) reflects a meaningful but bounded risk: network reachability (AV:N) and low attack complexity (AC:L) lower the bar for exploitation, while the PR:L requirement anchors risk to authenticated users only, excluding unauthenticated internet attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a standard low-privilege account on the Nomysem platform crafts HTTP requests targeting restricted application endpoints that are inadequately protected by the inconsistent ACL policy. The system's access control logic fails to enforce the intended restrictions, returning sensitive data - such as records belonging to other users or administrative information - directly in the response. … |
| Remediation | No vendor-released patch identified at time of analysis - the vendor (NOMYSOFT Informatics Education and Consulting Inc.) was contacted prior to disclosure and did not respond, leaving no official fix confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42209
GHSA-jp2f-v3mv-mpr8