Skip to main content

Destekz EUVDEUVD-2026-41527

| CVE-2026-4322 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 TR-CERT GHSA-m2vv-wr2h-x573
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Reflected XSS requires no privileges or special configuration, scope changes as injected script affects browser context beyond the origin page, and mandatory user interaction (UI:R) limits attacker control over triggering.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 10:21 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Raera - Ankara Web Design and Digital Advertising Agency Destekz allows Reflected XSS.

This issue affects Destekz: through 02062026. NOTE: The vendor was contacted and it was learned that the product is not supported.

AnalysisAI

Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify unsanitized input parameter in Destekz
Delivery
Craft malicious URL embedding XSS payload
Exploit
Deliver URL to victim via phishing or social engineering
Install
Victim clicks link and browser sends crafted request
C2
Destekz reflects unsanitized input in HTTP response
Execute
Injected script executes in victim browser context
Impact
Session cookie or credential exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation The CVSS vector (PR:N) confirms no authentication is required to craft and deliver the attack payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 score (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects moderate severity: the attack is network-reachable with low complexity and requires no privileges, but depends on user interaction (UI:R) to deliver the reflected payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an unsanitized parameter in a Destekz page that reflects user input directly into the HTTP response and constructs a URL embedding a JavaScript payload such as a cookie-stealing script. The attacker distributes the crafted URL through phishing email or social engineering targeting users of the affected application. …
Remediation No vendor-released patch identified at time of analysis, and none is expected given the vendor's confirmed statement that Destekz is no longer supported. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy