Cyber Resilience

CVE-2026-7402

HighUpdated

Published: 30 April 2026

Published
30 April 2026
Modified
06 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0038 29.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7402 is a high-severity Improper Control of Interaction Frequency (CWE-799) vulnerability in Gov (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-7402 is an Improper Control of Interaction Frequency vulnerability (CWE-799) in MeWare Software Development Inc.'s PDKS software that allows flooding attacks. Published on 2026-04-30, it affects PDKS versions from V16.20200313 before VMYR_3.5.2025117 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Attackers with low privileges can exploit the vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables high-impact disruption to integrity and availability, permitting flooding that can compromise data integrity and cause significant service denial.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0141 provides further details on mitigations for this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The CVE describes an improper control of interaction frequency vulnerability that explicitly enables flooding attacks, directly mapping to application exhaustion flood for denial of service impacting availability and integrity.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41346Shared CWE-799
CVE-2026-24017Shared CWE-799
CVE-2026-30972Shared CWE-799
CVE-2025-12547Shared CWE-799
CVE-2025-9004Shared CWE-799
CVE-2026-32729Shared CWE-799
CVE-2026-2110Shared CWE-799

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections at system entry points to mitigate flooding attacks from improper interaction frequency control.

prevent

Enforces restrictions on information inputs, including frequency limits, to prevent excessive interactions enabling flooding.

prevent

Protects system resource availability from unauthorized depletion due to high-volume flooding exploiting interaction frequency flaws.

References