Skip to main content

Mediküm Web EUVDEUVD-2026-42225

| CVE-2026-8315 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 TR-CERT GHSA-5wr2-9gxx-hx7w
5.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Low-privilege auth is required to store the payload (PR:L), victim must view the page (UI:R), and script executes cross-boundary in victim browser (S:C); no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 13:20 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Webbeyaz Web Design Mediküm Web allows Stored XSS.

This issue affects Mediküm Web: through 08072026. NOTE: The vendor was contacted and it was learned that the product is not supported.

AnalysisAI

Stored cross-site scripting in Mediküm Web (by Webbeyaz Web Design) enables authenticated low-privilege attackers to persist malicious scripts that execute in the browsers of other users who view the affected pages. All versions through 08072026 are affected per the CVE scope, with the CVSS scope-change metric (S:C) confirming cross-boundary execution into victim browser sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege application account
Delivery
Identify unsanitized input field accepting stored data
Exploit
Submit crafted XSS payload via that field
Install
Payload persisted in application database
C2
Victim user loads the affected page
Execute
Stored script executes in victim browser under application origin
Impact
Session token exfiltrated or victim actions hijacked

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid low-privilege authenticated account on the Mediküm Web instance (PR:L in the CVSS vector confirms this). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.4 (Medium) reflects meaningful but constrained risk: PR:L requires the attacker to hold a valid low-privilege account before injection is possible, and UI:R means a victim must actively visit the page hosting the stored payload - reducing opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege account submits a crafted input (e.g., a form field or profile attribute) containing a JavaScript payload such as a cookie-stealing script; this payload is stored server-side without sanitization. When an administrator or another authenticated user subsequently loads the affected page, the stored script executes in their browser under the application's origin, potentially harvesting their session token and forwarding it to an attacker-controlled endpoint. …
Remediation No vendor-released patch exists and none will be forthcoming, as the vendor has confirmed the product is unsupported. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy