Cyber Posture

CVE-2026-7402

High

Published: 30 April 2026

Published
30 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0001 3.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7402 is a high-severity Improper Control of Interaction Frequency (CWE-799) vulnerability in Gov (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

Directly implements denial-of-service protections at system entry points to mitigate flooding attacks from improper interaction frequency control.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on information inputs, including frequency limits, to prevent excessive interactions enabling flooding.

SC-6 Resource Availability good match
prevent

Protects system resource availability from unauthorized depletion due to high-volume flooding exploiting interaction frequency flaws.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

The CVE describes an improper control of interaction frequency vulnerability that explicitly enables flooding attacks, directly mapping to application exhaustion flood for denial of service impacting availability and integrity.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

Deeper analysisAI

CVE-2026-7402 is an Improper Control of Interaction Frequency vulnerability (CWE-799) in MeWare Software Development Inc.'s PDKS software that allows flooding attacks. Published on 2026-04-30, it affects PDKS versions from V16.20200313 before VMYR_3.5.2025117 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Attackers with low privileges can exploit the vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables high-impact disruption to integrity and availability, permitting flooding that can compromise data integrity and cause significant service denial.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-26-0141 provides further details on mitigations for this issue.

Details

CWE(s)
CWE-799

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-41346Shared CWE-799
CVE-2026-24017Shared CWE-799
CVE-2026-30972Shared CWE-799
CVE-2025-12547Shared CWE-799
CVE-2025-9004Shared CWE-799
CVE-2026-2110Shared CWE-799
CVE-2026-32729Shared CWE-799

References