Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS.
This issue affects DernekWeb: through 30122025.
AnalysisAI
Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.
Technical ContextAI
DernekWeb is a web-based association management system developed by Basamak Information Technology Consulting and Organization Trade Ltd. Co., commonly used by Turkish organizations. The vulnerability stems from CWE-79 (improper neutralization of input during web page generation), where user-supplied data is stored in the application database without proper sanitization and later rendered in web pages without adequate output encoding. This allows attackers to inject JavaScript or other client-side code that persists in the application.
RemediationAI
No vendor-released patch identified at time of analysis. The version identifier '30122025' appears to be a future date (December 30, 2025), suggesting this may be a disclosure timeline rather than an actual version number. Organizations should contact Basamak Information Technology directly for patch availability. As compensating controls until a patch is available, implement a Web Application Firewall (WAF) with XSS filtering rules, though this may block legitimate content containing angle brackets or JavaScript keywords. Additionally, implement Content Security Policy (CSP) headers to restrict inline script execution, noting this may break legitimate application functionality if the application relies on inline scripts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30759
GHSA-cw64-mj5p-2vxf