Cyber Resilience

CVE-2025-13002

HighUpdated

Published: 12 February 2026

Published
12 February 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0022 11.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-13002 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Farktor E-Commerce Package. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-13002 is an Improper Neutralization of Input During Web Page Generation vulnerability that enables Cross-Site Scripting (XSS), mapped to CWE-79. It affects the E-Commerce Package developed by Farktor Software E-Commerce Services Inc., with the issue present in versions through 27112025.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating it can be exploited remotely over the network with low attack complexity, no required privileges, and no user interaction. Attackers can achieve low integrity impact alongside high availability impact in an unchanged scope.

Mitigation guidance is available in the advisory from USOM at https://www.usom.gov.tr/bildirim/tr-26-0063.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS). This issue affects E-Commerce Package: through 27112025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

XSS in public-facing web app directly enables exploitation of the application (T1190) and can turn the site into a vector for drive-by compromise of visitors (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10969Same product: Farktor E-Commerce Package
CVE-2025-28917Shared CWE-79
CVE-2025-23994Shared CWE-79
CVE-2025-27500Shared CWE-79
CVE-2025-67984Shared CWE-79
CVE-2025-59057Shared CWE-79
CVE-2024-56267Shared CWE-79
CVE-2026-1931Shared CWE-79
CVE-2025-25144Shared CWE-79
CVE-2025-0957Shared CWE-79

Affected Assets

farktor
e-commerce package
≤ 2025-11-27

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper neutralization of input during web page generation by filtering output to prevent XSS script injection.

prevent

Validates user inputs to block malicious payloads that could lead to XSS in the E-Commerce Package.

prevent

Remediates the specific XSS flaw in E-Commerce Package versions through 27112025 by applying timely patches and updates.

References