CVE-2025-7760
Published: 03 February 2026
Summary
CVE-2025-7760 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-7760 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (XSS, CWE-79), that enables XSS attacks through HTTP Headers in Ofisimo Web-Based Software Technologies Association Web Package Flora. The issue affects versions from v3.0 through 03022026.
With a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H), the vulnerability can be exploited over the network by low-privileged authenticated users with low attack complexity and no user interaction. Attackers can achieve limited impacts on confidentiality and integrity, alongside high availability disruption.
An advisory reference is provided at https://www.usom.gov.tr/bildirim/tr-26-0015. The vendor was contacted early regarding this disclosure but did not respond in any way, and no patches or specific mitigations are detailed in available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206770
Vulnerability details
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The…
more
vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS via HTTP headers in a public-facing web app directly enables exploitation of the application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input during web page generation by requiring output filtering to sanitize HTTP header data before rendering, preventing XSS execution.
Requires validation of information inputs from untrusted sources like HTTP headers, blocking malicious XSS payloads before they reach web page generation.
Mandates identification, reporting, and correction of flaws like this XSS vulnerability, enabling patching or code fixes despite vendor non-responsiveness.