CVE-2025-6397
Published: 03 February 2026
Summary
CVE-2025-6397 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-6397 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS), in the Ankara Hosting Website Design Website Software. This issue, tied to CWE-79, affects all versions of the software through 03022026.
The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H), making it exploitable over the network by unauthenticated attackers with low complexity and no user interaction. Exploitation allows attackers to achieve low-level confidentiality and integrity impacts alongside high availability disruption.
The advisory at https://www.usom.gov.tr/bildirim/tr-26-0014 provides details on the issue. The vendor was contacted early about this disclosure but did not respond in any way, and no patches are referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206769
Vulnerability details
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about this disclosure but…
more
did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing web software directly enables exploitation of the application via crafted input (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input during web page generation by requiring filtering of information outputs to prevent reflected XSS execution.
Enforces validation of user inputs to block malicious scripts from being processed and reflected in web responses.
Requires review of publicly accessible web content to identify and mitigate XSS vulnerabilities before deployment.