Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding.
This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
AnalysisAI
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction frequency, achieving high integrity and availability impacts without confidentiality breach. This workforce management software by MeWare Software Development Inc. is vulnerable to denial-of-service conditions and potential data integrity compromise through rate-limiting bypass. Affects versions from V16.20200313 through VMYR_3.5.2025117. TR-CERT advisory available, EPSS data not provided, no CISA KEV listing identified.
Technical ContextAI
PDKS is a Turkish workforce management and personnel tracking system developed by MeWare Software Development Inc. The vulnerability stems from CWE-799 (Improper Control of Interaction Frequency), indicating the application fails to implement adequate rate limiting or throttling mechanisms on network-accessible endpoints. With AV:N (network attack vector) and AC:L (low complexity), authenticated users can programmatically send excessive requests to vulnerable endpoints. The S:U (unchanged scope) suggests the attack remains within the application boundary without privilege escalation to underlying systems. The CVSS vector's C:N/I:H/A:H profile indicates flooding attacks can corrupt data integrity (I:H) and exhaust system resources (A:H) without directly leaking confidential information, though the 'Information Disclosure' tag suggests potential secondary impacts through system state observation.
RemediationAI
Upgrade PDKS to version VMYR_3.5.2025117 or later, as confirmed by TR-CERT advisory TR-26-0141 at https://www.usom.gov.tr/bildirim/tr-26-0141. Contact MeWare Software Development Inc. directly for patch deployment assistance and version compatibility guidance, particularly for customized installations. If immediate patching is not feasible, implement network-layer rate limiting through web application firewall (WAF) rules targeting PDKS endpoints-configure per-user request thresholds (e.g., 100 requests/minute) and IP-based limits (e.g., 500 requests/minute per source), though this may impact legitimate high-frequency automated integrations with timekeeping hardware. Deploy application-layer monitoring to detect flooding patterns (sustained high request rates from single accounts) and establish automated account suspension for anomalous behavior, accepting the risk of false positives during legitimate batch operations. Restrict PDKS network access to internal networks only via firewall rules, blocking internet-facing exposure unless business requirements explicitly demand external access-this reduces attack surface to insider threats and VPN-authenticated users. Review and audit low-privilege user accounts with PDKS access, revoking unnecessary credentials to minimize PR:L attack surface.
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation
Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through bef
Same weakness CWE-799 – Improper Control of Interaction Frequency
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26372