Skip to main content

Isp Billing Software EUVD-2026-23814

| CVE-2026-6623 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-20 VulDB GHSA-293r-hxw5-cfmj
XSS Isp Billing Software
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 22, 2026 - 20:22 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 10:22 NVD
LOW MEDIUM
CVSS changed
Apr 20, 2026 - 10:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 09:45 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 09:30 euvd
EUVD-2026-23814
Analysis Generated
Apr 20, 2026 - 09:30 vuln.today
CVE Published
Apr 20, 2026 - 09:00 nvd
MEDIUM 4.8

DescriptionCVE.org

A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to inject malicious scripts via the Profile Page Handler settings/users-view endpoint, affecting subsequent users who view the compromised profile. The vulnerability requires high-privilege authentication and user interaction (page viewing), limiting exploitation scope; however, publicly available proof-of-concept code exists and the vendor has not responded to disclosure attempts.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege admin credentials
Delivery
Access settings/users-view endpoint
Exploit
Inject XSS payload into profile field
Install
Save malicious profile
C2
Trick or wait for other admin to view profile
Execute
Malicious script executes in admin's browser
Impact
Session hijack or privilege abuse
Sign in to reveal

Vulnerability AssessmentAI

Exploitation High-privilege user account authentication is required (PR:H indicates privilege level requirement). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is LOW to MODERATE despite the publicly available exploit code. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with high-privilege administrative credentials (either obtained through credential compromise or as an insider) navigates to /?_route=settings/users-view/ and injects malicious JavaScript into a user profile field (e.g., display name, email, phone). When another administrator or authorized user views the compromised profile page, the injected script executes in their browser, potentially stealing session cookies, redirecting them to a phishing site, or performing unauthorized actions within the billing system.
Remediation The primary remediation is to upgrade BichitroGan ISP Billing Software to a patched version; however, no patched version has been identified in available data, and the vendor has not responded to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23814 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy