Skip to main content

BiEticaret EUVDEUVD-2026-42546

| CVE-2026-5793 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 TR-CERT GHSA-7qpx-wmf3-25cj
6.1
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-accessible reflected XSS requires no privileges or auth, but mandates victim interaction; scope change and low C/I impact match standard reflected XSS impact bounds.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 10:00 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS.

This issue affects BiEticaret: before v3.3.57.

AnalysisAI

Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify vulnerable BiEticaret parameter
Delivery
Craft malicious URL with XSS payload
Exploit
Deliver link to victim via phishing
Execution
Victim clicks link
Persist
Browser reflects and executes payload
Impact
Steal session token or sensitive data

Vulnerability AssessmentAI

Exploitation No authentication is required by the attacker (CVSS PR:N), and the attack complexity is low (AC:L), meaning no specialized conditions or race conditions must be met on the server side. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.1 (Medium) accurately reflects the constrained impact: AV:N establishes network reachability, AC:L confirms trivial exploitation mechanics once a victim is targeted, and PR:N means no account or credentials are required by the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a BiEticaret installation running a version prior to v3.3.57 and discovers a URL parameter that is reflected unsanitized into the page response. The attacker crafts a URL embedding a JavaScript payload - such as a cookie-stealing script - and distributes it via phishing email or social media targeting customers of that storefront. …
Remediation The primary fix is to upgrade BiEticaret to version v3.3.57 or later, which resolves the improper input neutralization. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy