Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable injection point requires no auth (PR:N); victim must view stored payload (UI:R); scope changes as script runs in victim browser (S:C); no availability impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Stored XSS.
This issue affects Access Control System (GKS): before Version 2.
AnalysisAI
Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to reach the GKS web interface over the network and submit data to a form or endpoint that persists input without sanitization - the CVSS PR:N metric indicates no authentication is required at the injection stage. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 6.1 (Medium) reflects the limited confidentiality and integrity impact (C:L/I:L) and the mandatory user-interaction requirement (UI:R), which constrains opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker identifies a publicly accessible input form in the GKS web portal - such as a visitor registration or access request form - and submits a crafted entry containing a malicious JavaScript payload. When a GKS administrator or security operator subsequently reviews the submitted entry in the management interface, the script executes in their browser, potentially exfiltrating session cookies or performing privileged actions on their behalf. … |
| Remediation | Upgrade Access Control System (GKS) to Version 2 or later, which is identified as the remediated release per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0502. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Access Control System Gks
View allInformation disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote un
Reflected XSS in Armiya Information Technologies' Access Control System (GKS) allows unauthenticated remote attackers to
Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42017
GHSA-qwf8-w6p9-q9vq