Skip to main content

Mediküm Web CVE-2026-8310

| EUVDEUVD-2026-42224 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 TR-CERT GHSA-73vp-vhfv-cfq2
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Reflected XSS requires no authentication (PR:N) but depends on victim loading a crafted URL (UI:R); S:C reflects script execution crossing into the browser context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 13:19 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Reflected XSS.

This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

AnalysisAI

Reflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers by tricking them into visiting a crafted URL. All versions through 08072026 are affected with no patch available or forthcoming, as the vendor has confirmed the product is end-of-life and unsupported. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify vulnerable Mediküm Web parameter
Delivery
Craft reflected XSS URL with malicious payload
Exploit
Deliver crafted URL to target user via phishing
Install
Victim loads URL in browser
C2
Server reflects unsanitized input in HTML response
Execute
Malicious script executes in victim browser session
Impact
Steal session cookie or perform unauthorized actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim user to actively click or load a crafted URL containing the XSS payload targeting the Mediküm Web application - confirmed by the CVSS UI:R metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.1 Medium, vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, is consistent with a standard reflected XSS profile: network-reachable, low complexity, no authentication, but gated by required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Mediküm Web parameter that reflects unsanitized user input and constructs a URL embedding a JavaScript payload (e.g., a cookie-stealing script). The attacker distributes this crafted URL to a target user via phishing email or message; when the victim clicks the link and the Mediküm Web server reflects the payload in the HTML response, the script executes in the victim's browser under the application's origin. …
Remediation No vendor-released patch is available and none is expected, as the vendor has confirmed Mediküm Web is an unsupported, end-of-life product. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy