Cyber Posture

CVE-2025-14343

High

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
EPSS Score 0.0005 14.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14343 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation
addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

Reflected XSS directly enables drive-by or spearphishing link delivery of browser scripts for session/credential theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025.

Deeper analysisAI

CVE-2025-14343 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS), in Dokuzsoft Technology Ltd.'s E-Commerce Product. This issue, associated with CWE-79, affects all versions of the product through 10122025. It was published on 2026-02-26 with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity by crafting malicious input, such as a specially prepared URL or form submission, and tricking a user into interacting with it, for example by clicking a link or viewing a page. Upon successful exploitation, the injected script executes in the victim's browser context, potentially allowing limited disclosure of sensitive data (low confidentiality impact), minor manipulation of page content or actions (low integrity impact), and significant disruption such as browser crashes or denial of service (high availability impact).

Mitigation details are available in the advisory published by the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0083.

Details

CWE(s)
CWE-79

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-24598Shared CWE-79
CVE-2025-22568Shared CWE-79
CVE-2025-23857Shared CWE-79
CVE-2025-32123Shared CWE-79
CVE-2024-56032Shared CWE-79
CVE-2025-23652Shared CWE-79
CVE-2026-34375Shared CWE-79
CVE-2025-23610Shared CWE-79
CVE-2025-67964Shared CWE-79
CVE-2025-24656Shared CWE-79

References