Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable, unauthenticated (PR:N) data disclosure with no user interaction; confidentiality-only impact (C:H, I:N, A:N) consistent with CWE-201 information exposure.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Insertion of sensitive information into sent data vulnerability in IKAS Technology Inc. E-Commerce allows Retrieve Embedded Sensitive Data.
This issue affects E-Commerce: through 03062026.
AnalysisAI
Sensitive information disclosure in iKAS Technology Inc.'s E-Commerce platform (all versions through build 03062026) allows remote unauthenticated attackers to retrieve embedded sensitive data returned in server responses. Classified under CWE-201, the flaw causes confidential data to be inserted into data sent to clients, exposing it without authentication or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation requires no authentication, no user interaction, and only network reachability to the affected iKAS E-Commerce application running any version through build 03062026 - effectively no special conditions against default deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5 High) describes a purely confidentiality-impacting flaw: network-reachable, low complexity, no privileges, no user interaction, high confidentiality loss with no integrity or availability impact - a classic unauthenticated data-exposure pattern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with no credentials sends ordinary HTTP requests to the iKAS storefront or its API and observes that the responses embed sensitive information the attacker should not see. By systematically collecting these responses, the attacker harvests confidential data at scale without authentication or user interaction. … |
| Remediation | No vendor-released patch version is identified at time of analysis, so no exact fix build can be cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct urgent inventory of all iKAS platform instances and the sensitive data they process; implement emergency mitigation by deploying a Web Application Firewall to redact sensitive data patterns from HTTP responses and enable comprehensive response logging for forensic analysis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in E Commerce
View allMultiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to e
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mAyaNet E-Commerce
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote a
An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, ca
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update
Reflected XSS in AKIN Software E-Commerce (all versions before 1.25.01.06) enables unauthenticated remote attackers to i
SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user-controlled inputs, resulting in Cros
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yaztek Software Te
A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). Rated medium seve
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45170
GHSA-f2ff-w92f-jm4h