Skip to main content

Access Control System GKS EUVDEUVD-2026-42018

| CVE-2026-8309 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 TR-CERT GHSA-8g9p-mgr6-f26j
5.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by authenticated web app context; UI:R required for reflected delivery; S:C applies as script executes in victim browser scope; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 08:07 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Reflected XSS.

This issue affects Access Control System (GKS): before Version 2.

AnalysisAI

Reflected cross-site scripting in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows authenticated remote attackers to inject malicious scripts into web responses. The vulnerability (CWE-79) results from improper neutralization of user-supplied input during web page generation, with scope change (S:C) indicating execution context escapes to the victim's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege GKS account
Delivery
Craft malicious reflected XSS URL
Exploit
Deliver link to privileged victim via phishing
Execution
Victim clicks link in authenticated session
Persist
Injected script executes in victim's browser
Impact
Exfiltrate session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid low-privilege account on the Access Control System GKS web application (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects a constrained but real attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker crafts a URL targeting a vulnerable parameter in the GKS web interface that embeds a JavaScript payload, then delivers the link to a legitimate GKS administrator or operator via phishing or internal message. When the victim clicks the link and their browser renders the reflected response, the injected script executes in their browser session, potentially exfiltrating session cookies or credentials to the attacker's controlled server.
Remediation Upgrade to Access Control System (GKS) Version 2 or later, which is the vendor-confirmed fix boundary per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0502. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy