Skip to main content

PDKS CVE-2026-7402

| EUVDEUVD-2026-26372 HIGH
Improper Control of Interaction Frequency (CWE-799)
2026-04-30 TR-CERT
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 30, 2026 - 13:31 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 13:00 euvd
EUVD-2026-26372
Analysis Generated
Apr 30, 2026 - 13:00 vuln.today
CVE Published
Apr 30, 2026 - 12:48 nvd
HIGH 8.1

DescriptionCVE.org

Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding.

This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

AnalysisAI

Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction frequency, achieving high integrity and availability impacts without confidentiality breach. This workforce management software by MeWare Software Development Inc. is vulnerable to denial-of-service conditions and potential data integrity compromise through rate-limiting bypass. Affects versions from V16.20200313 through VMYR_3.5.2025117. TR-CERT advisory available, EPSS data not provided, no CISA KEV listing identified.

Technical ContextAI

PDKS is a Turkish workforce management and personnel tracking system developed by MeWare Software Development Inc. The vulnerability stems from CWE-799 (Improper Control of Interaction Frequency), indicating the application fails to implement adequate rate limiting or throttling mechanisms on network-accessible endpoints. With AV:N (network attack vector) and AC:L (low complexity), authenticated users can programmatically send excessive requests to vulnerable endpoints. The S:U (unchanged scope) suggests the attack remains within the application boundary without privilege escalation to underlying systems. The CVSS vector's C:N/I:H/A:H profile indicates flooding attacks can corrupt data integrity (I:H) and exhaust system resources (A:H) without directly leaking confidential information, though the 'Information Disclosure' tag suggests potential secondary impacts through system state observation.

RemediationAI

Upgrade PDKS to version VMYR_3.5.2025117 or later, as confirmed by TR-CERT advisory TR-26-0141 at https://www.usom.gov.tr/bildirim/tr-26-0141. Contact MeWare Software Development Inc. directly for patch deployment assistance and version compatibility guidance, particularly for customized installations. If immediate patching is not feasible, implement network-layer rate limiting through web application firewall (WAF) rules targeting PDKS endpoints-configure per-user request thresholds (e.g., 100 requests/minute) and IP-based limits (e.g., 500 requests/minute per source), though this may impact legitimate high-frequency automated integrations with timekeeping hardware. Deploy application-layer monitoring to detect flooding patterns (sustained high request rates from single accounts) and establish automated account suspension for anomalous behavior, accepting the risk of false positives during legitimate batch operations. Restrict PDKS network access to internal networks only via firewall rules, blocking internet-facing exposure unless business requirements explicitly demand external access-this reduces attack surface to insider threats and VPN-authenticated users. Review and audit low-privilege user accounts with PDKS access, revoking unnecessary credentials to minimize PR:L attack surface.

Share

CVE-2026-7402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy