Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS requires no authentication (PR:N) but depends on victim loading a crafted URL (UI:R); S:C reflects script execution crossing into the browser context.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Reflected XSS.
This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.
AnalysisAI
Reflected XSS in Mediküm Web, a Turkish healthcare web application by Webbeyaz Web Design, enables unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers by tricking them into visiting a crafted URL. All versions through 08072026 are affected with no patch available or forthcoming, as the vendor has confirmed the product is end-of-life and unsupported. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim user to actively click or load a crafted URL containing the XSS payload targeting the Mediküm Web application - confirmed by the CVSS UI:R metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.1 Medium, vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, is consistent with a standard reflected XSS profile: network-reachable, low complexity, no authentication, but gated by required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Mediküm Web parameter that reflects unsanitized user input and constructs a URL embedding a JavaScript payload (e.g., a cookie-stealing script). The attacker distributes this crafted URL to a target user via phishing email or message; when the victim clicks the link and the Mediküm Web server reflects the payload in the HTML response, the script executes in the victim's browser under the application's origin. … |
| Remediation | No vendor-released patch is available and none is expected, as the vendor has confirmed Mediküm Web is an unsupported, end-of-life product. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Medik M Web
View allSQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthe
Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to per
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42224
GHSA-73vp-vhfv-cfq2