CVE-2026-6624 - Vulnerability Details

- BichitroGan ISP Billing Software Pool List add cross site scripting

Description

A weakness has been identified in BichitroGan ISP Billing Software 2025.3.20. Affected is an unknown function of the file /?\_route=pool/add of the component Pool List Interface. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The reported weakness is a cross site scripting vulnerability located in the Pool List Interface of BichitroGan ISP Billing Software. A manipulated request to the route /?_route=pool/add can inject script content that will be executed by a victim’s browser when viewed. The flaw is documented as a CWE‑79 XSS and also involves potential code injection (CWE‑94). Adversaries can trigger the flaw remotely, and the exploit is publicly available, meaning immediate exposure is possible with no prerequisite access.

Affected Systems

This issue impacts the BichitroGan ISP Billing Software, specifically version 2025.3.20. The affected component is an otherwise undocumented function in the Pool List Interface; no further sub‑components are identified. The vendor, BichitroGan, has not yet responded to the disclosure.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity; however, the exploit is freely available and can be performed from a remote machine, implying a realistic attack surface for any organization using the affected version. The EPSS score is not available, so the precise likelihood of exploitation is unknown, but the lack of vendor response and the public disclosure increase concern. The vulnerability is not listed in the CISA KEV catalog, yet its remote XSS nature can lead to credential theft, defacement, or deflection of user traffic. Potential attackers would target the web interface of the billing system, likely bypassing authentication or exploiting unauthenticated access if not properly secured.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BichitroGan

ISP Billing Software

affected

Version	Status	Constraints
`2025.3.20`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a fixed release of BichitroGan ISP Billing Software when it becomes available.
Validate and encode all input data passed to the /?_route=pool/add endpoint to prevent XSS payloads.
Limit access to the Pool List interface to authenticated, authorized users only and consider deploying a web application firewall to block malicious scripts.

Generated by OpenCVE AI on April 20, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/4m3rr0r/PoCVulDb/issues/16
https://vuldb.com/submit/792395
https://vuldb.com/vuln/358259
https://vuldb.com/vuln/358259/cti

History

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in BichitroGan ISP Billing Software 2025.3.20. Affected is an unknown function of the file /?\_route=pool/add of the component Pool List Interface. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		BichitroGan ISP Billing Software Pool List add cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/4m3rr0r/PoCVulDb/issues/16 https://vuldb.com/submit/792395 https://vuldb.com/vuln/358259 https://vuldb.com/vuln/358259/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T09:15:17.533Z

Updated: 2026-04-20T13:27:39.595Z

Reserved: 2026-04-19T16:32:20.616Z

Link: CVE-2026-6624

Vulnrichment

Updated: 2026-04-20T13:27:36.419Z

NVD

Status : Received

Published: 2026-04-20T10:16:17.580

Modified: 2026-04-20T10:16:17.580

Link: CVE-2026-6624

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T10:30:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object