Skip to main content

DernekWeb CVE-2026-7498

| EUVDEUVD-2026-30759 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 TR-CERT GHSA-cw64-mj5p-2vxf
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 09:31 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS.

This issue affects DernekWeb: through 30122025.

AnalysisAI

Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.

Technical ContextAI

DernekWeb is a web-based association management system developed by Basamak Information Technology Consulting and Organization Trade Ltd. Co., commonly used by Turkish organizations. The vulnerability stems from CWE-79 (improper neutralization of input during web page generation), where user-supplied data is stored in the application database without proper sanitization and later rendered in web pages without adequate output encoding. This allows attackers to inject JavaScript or other client-side code that persists in the application.

RemediationAI

No vendor-released patch identified at time of analysis. The version identifier '30122025' appears to be a future date (December 30, 2025), suggesting this may be a disclosure timeline rather than an actual version number. Organizations should contact Basamak Information Technology directly for patch availability. As compensating controls until a patch is available, implement a Web Application Firewall (WAF) with XSS filtering rules, though this may block legitimate content containing angle brackets or JavaScript keywords. Additionally, implement Content Security Policy (CSP) headers to restrict inline script execution, noting this may break legitimate application functionality if the application relies on inline scripts.

Share

CVE-2026-7498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy