Cyber Resilience

CVE-2025-7760

HighUpdated

Published: 03 February 2026

Published
03 February 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0002 7.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7760 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-7760 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (XSS, CWE-79), that enables XSS attacks through HTTP Headers in Ofisimo Web-Based Software Technologies Association Web Package Flora. The issue affects versions from v3.0 through 03022026.

With a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H), the vulnerability can be exploited over the network by low-privileged authenticated users with low attack complexity and no user interaction. Attackers can achieve limited impacts on confidentiality and integrity, alongside high availability disruption.

An advisory reference is provided at https://www.usom.gov.tr/bildirim/tr-26-0015. The vendor was contacted early regarding this disclosure but did not respond in any way, and no patches or specific mitigations are detailed in available information.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The…

more

vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS via HTTP headers in a public-facing web app directly enables exploitation of the application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper neutralization of input during web page generation by requiring output filtering to sanitize HTTP header data before rendering, preventing XSS execution.

prevent

Requires validation of information inputs from untrusted sources like HTTP headers, blocking malicious XSS payloads before they reach web page generation.

preventrecover

Mandates identification, reporting, and correction of flaws like this XSS vulnerability, enabling patching or code fixes despite vendor non-responsiveness.

References