Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS.

This issue affects CityPLus: before V24.29750.1.0.
Published: 2026-05-20
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Beyaz Computer’s CityPLus allows an attacker to inject malicious scripts that are reflected back to the victim’s browser. Although it does not compromise the server itself, the reflected XSS can lead to session hijacking, cookie theft, defacement, or execution of arbitrary JavaScript within the context of the target user. The weakness corresponds to CWE‑79 and requires proper neutralization of user input when generating dynamic web pages.

Affected Systems

Beyaz Computer Software Design Industry and Trade Ltd. Co. product CityPLus, versions prior to V24.29750.1.0, are affected. No additional vendors or versions are listed.

Risk and Exploitability

The CVSS score of 7.6 classifies this issue as high severity. EPSS data is not available, and the vulnerability is not currently listed in CISA KEV. The likely attack vector is a web request that contains malicious input; a remote attacker can exploit it by crafting a URL pointing to CityPLus’s web interface to deliver the malicious script. The impact is restricted to victim users who load the affected page. Based on the CVSS, the risk is significant, especially in environments where CityPLus is exposed to untrusted actors.

Generated by OpenCVE AI on May 20, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CityPLus to version V24.29750.1.0 or later to eliminate the reflected XSS flaw.
  • Ensure all user-supplied data that is rendered into HTML is properly encoded or validated to prevent injection of executable scripts.
  • Implement a Content Security Policy and enable XSS protection headers (e.g., X-XSS-Protection, X-Content-Type-Options) to reduce the likelihood that any residual scripts will execute.

Generated by OpenCVE AI on May 20, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS. This issue affects CityPLus: before V24.29750.1.0.
Title Reflected XSS in Beyaz Computer's CityPLus
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-20T15:29:22.824Z

Reserved: 2026-04-08T08:51:19.877Z

Link: CVE-2026-5783

cve-icon Vulnrichment

Updated: 2026-05-20T15:29:19.533Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T16:16:26.790

Modified: 2026-05-20T17:30:47.177

Link: CVE-2026-5783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:30:14Z

Weaknesses