Cyber Resilience

CVE-2025-14343

HighUpdated

Published: 26 February 2026

Published
26 February 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
EPSS Score 0.0005 14.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14343 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-14343 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS), in Dokuzsoft Technology Ltd.'s E-Commerce Product. This issue, associated with CWE-79, affects all versions of the product through 10122025. It was published on 2026-02-26 with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity by crafting malicious input, such as a specially prepared URL or form submission, and tricking a user into interacting with it, for example by clicking a link or viewing a page. Upon successful exploitation, the injected script executes in the victim's browser context, potentially allowing limited disclosure of sensitive data (low confidentiality impact), minor manipulation of page content or actions (low integrity impact), and significant disruption such as browser crashes or denial of service (high availability impact).

Mitigation details are available in the advisory published by the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0083.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS. This issue affects E-Commerce Product: through 10122025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

Reflected XSS directly enables drive-by or spearphishing link delivery of browser scripts for session/credential theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23857Shared CWE-79
CVE-2025-24598Shared CWE-79
CVE-2025-32123Shared CWE-79
CVE-2025-22568Shared CWE-79
CVE-2024-12749Shared CWE-79
CVE-2025-67964Shared CWE-79
CVE-2024-56032Shared CWE-79
CVE-2026-24752Shared CWE-79
CVE-2025-24656Shared CWE-79
CVE-2025-23652Shared CWE-79

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper neutralization of input vulnerability by validating user inputs such as URLs or form data to block malicious XSS payloads before processing.

prevent

Prevents reflected XSS execution by filtering or encoding reflected user inputs during web page generation to neutralize script injection.

prevent

Addresses the specific flaw in Dokuzsoft E-Commerce Product through timely identification, testing, and application of patches or updates for this CVE.

References