Skip to main content

Nomysem CVE-2026-6280

| EUVDEUVD-2026-42209 MEDIUM
Exposure of Sensitive Information Due to Incompatible Policies (CWE-213)
2026-07-08 iletisim@usom.gov.tr GHSA-jp2f-v3mv-mpr8
6.5
CVSS 3.1 · Vendor: usom
Share

Severity by source

Vendor (usom) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable ACL bypass requires only a low-privilege account; no integrity or availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (usom).

CVSS VectorVendor: usom

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 09:31 vuln.today

DescriptionCVE.org

Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Nomysem: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege Nomysem account
Delivery
Send crafted network request to restricted endpoint
Exploit
Trigger incompatible ACL policy evaluation
Execution
Bypass intended access constraint
Impact
Extract sensitive information from response

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege authenticated session on the Nomysem platform, as confirmed by the CVSS PR:L metric - unauthenticated attackers cannot directly exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 6.5 (Medium) reflects a meaningful but bounded risk: network reachability (AV:N) and low attack complexity (AC:L) lower the bar for exploitation, while the PR:L requirement anchors risk to authenticated users only, excluding unauthenticated internet attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard low-privilege account on the Nomysem platform crafts HTTP requests targeting restricted application endpoints that are inadequately protected by the inconsistent ACL policy. The system's access control logic fails to enforce the intended restrictions, returning sensitive data - such as records belonging to other users or administrative information - directly in the response. …
Remediation No vendor-released patch identified at time of analysis - the vendor (NOMYSOFT Informatics Education and Consulting Inc.) was contacted prior to disclosure and did not respond, leaving no official fix confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy