Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable web interface requires no authentication to inject; victim must view page for execution; scope change reflects browser context boundary crossing with limited confidentiality and integrity impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. SYSGUARD 6001 allows Stored XSS.
This issue affects SYSGUARD 6001: from 2.0.2 before 6.1.4.0.
NOTE: The vendor was contacted and it was learned that the product is not supported.
AnalysisAI
Stored cross-site scripting in SYSGUARD 6001 (versions 2.0.2 through before 6.1.4.0) by Eksagate Electronic Engineering and Computer Industry Trade Inc. permits remote unauthenticated attackers to inject persistent malicious scripts into the product's web interface, which execute in the browsers of any user who subsequently views the affected page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (PR:N) indicates no authentication is required to submit the malicious stored payload to the SYSGUARD 6001 web interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.1 (Medium) is driven by AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker identifies an input field on SYSGUARD 6001's web interface that lacks output encoding, then submits a crafted JavaScript payload that is persisted server-side. When an administrator later logs in and navigates to the affected page, the stored script executes in their browser, allowing the attacker to steal the session token and perform actions with administrator-level privileges in the management interface. |
| Remediation | No vendor-released patch will be provided - the vendor confirmed end-of-life status and the product is unsupported. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Sysguard 6001
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40298
GHSA-5gw8-w8f7-pfc3