Skip to main content

Access Control System GKS CVE-2026-8306

| EUVDEUVD-2026-42017 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 TR-CERT GHSA-qwf8-w6p9-q9vq
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-reachable injection point requires no auth (PR:N); victim must view stored payload (UI:R); scope changes as script runs in victim browser (S:C); no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 08:06 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Stored XSS.

This issue affects Access Control System (GKS): before Version 2.

AnalysisAI

Stored cross-site scripting in Armiya Information Technologies' Access Control System (GKS) versions before 2 allows an unauthenticated network attacker to persist malicious scripts in the application, which execute in the browser of any user who views the affected page. The scope change (S:C) in the CVSS vector indicates the injected payload breaks out of the application's security context and operates within the victim's browser environment, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit malicious script via unauthenticated form
Delivery
Payload persisted in GKS database
Exploit
Admin or operator views affected page
Execution
Script executes in victim's browser context
Persist
Session token or credentials exfiltrated
Impact
Attacker gains privileged GKS access

Vulnerability AssessmentAI

Exploitation The attacker must be able to reach the GKS web interface over the network and submit data to a form or endpoint that persists input without sanitization - the CVSS PR:N metric indicates no authentication is required at the injection stage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 6.1 (Medium) reflects the limited confidentiality and integrity impact (C:L/I:L) and the mandatory user-interaction requirement (UI:R), which constrains opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker identifies a publicly accessible input form in the GKS web portal - such as a visitor registration or access request form - and submits a crafted entry containing a malicious JavaScript payload. When a GKS administrator or security operator subsequently reviews the submitted entry in the management interface, the script executes in their browser, potentially exfiltrating session cookies or performing privileged actions on their behalf. …
Remediation Upgrade Access Control System (GKS) to Version 2 or later, which is identified as the remediated release per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0502. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy