CRITICAL🇵🇱 Wersja polska

CVE-2026-2347

CVSS 9.8v3.1pub. 2026-05-14

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.

🤖 AI Analysis
How it works

The vulnerability (CWE-639) consists of the application using user-controlled keys or identifiers (e.g., parameters in URLs or cookies) to identify sessions or resources without properly verifying whether the requester is actually authorized to access the given resource. An attacker can manipulate these values to impersonate another user and hijack their session (Session Hijacking). The attack requires no authentication, victim interaction, or special network conditions — it is possible remotely over a public network.

Impact

An attacker can fully take over the session of any user, including administrator accounts, gaining unauthorized access to personal data, order history, payment data, and store management functions. Depending on the privileges of the compromised account, data manipulation or complete takeover of the e-commerce platform is possible.

Mitigation & patch

The E-Commerce Website software must be immediately updated to version 4.5.001 or later. Detailed information is available in the security advisory at: https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222

Who is affected

E-Commerce Website software by Akilli Commerce Software Technologies Ltd. Co. in all versions prior to 4.5.001.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References