CVE-2025-7799
Published: 09 February 2026
Summary
CVE-2025-7799 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gov (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-7799 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the E-Taxpayer Accounting Website developed by Zirve Information Technologies Inc. The issue impacts versions of the software through 07082025. It received a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), indicating high severity due to its network accessibility and low attack complexity.
Unauthenticated attackers with network access can exploit this vulnerability without requiring privileges or user interaction. Successful exploitation enables low-impact confidentiality violations, high-impact integrity modifications, and low-impact availability disruptions, potentially allowing malicious script execution in users' browsers.
The Turkish National Cyber Incident Response Center (USOM) has issued a notification on this vulnerability at https://www.usom.gov.tr/bildirim/tr-26-0019, which security practitioners should consult for mitigation guidance and patches.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207366
Vulnerability details
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS. This issue affects e-Taxpayer Accounting Website: through 07082025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables direct browser script execution, facilitating web portal credential capture, session hijacking, and web cookie theft.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses reflected XSS by filtering outputs during web page generation to neutralize malicious scripts reflected from user input.
Validates and sanitizes untrusted network inputs to prevent injection of malicious scripts into the E-Taxpayer Accounting Website.
Remediates the specific XSS flaw through timely patching of the affected E-Taxpayer Accounting Website versions as advised by USOM.