Low severity2.4NVD Advisory· Published Apr 20, 2026· Updated Apr 29, 2026

CVE-2026-6624

Description

A weakness has been identified in BichitroGan ISP Billing Software 2025.3.20. Affected is an unknown function of the file /?\_route=pool/add of the component Pool List Interface. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in BichitroGan ISP Billing Software Pool Name field allows remote attackers to execute arbitrary JavaScript in admin sessions.

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in BichitroGan ISP Billing Software version 2025.3.20. The Pool Name parameter in the /?_route=pool/add endpoint is not properly sanitized before being stored in the database. When the stored value is later rendered in the Pool List interface, it is displayed without HTML encoding, allowing arbitrary JavaScript execution. The vendor was contacted but did not respond, and an exploit has been publicly released [1].

Exploitation

Requirements Exploitation requires authenticated access to the pool management interface, specifically the ability to create or modify pool entries. An attacker with such privileges can inject a malicious payload into the Pool Name field, such as ``. The payload is then stored and executed whenever an administrator views the Pool List page. Remote attackers can target internal administrators via social engineering or privilege escalation [1].

Impact

Successful exploitation leads to cross-site scripting execution in the administrator's browser context. This enables session hijacking, credential theft, defacement, and unauthorized actions on the billing system. If an admin account is compromised, an attacker could achieve full system takeover [1].

Mitigation

No official patch is available. Mitigation includes proper output escaping (e.g., htmlspecialchars with ENT_QUOTES), strict input validation, and Content Security Policy (CSP) headers. Administrators should restrict access to the pool management interface and monitor for suspicious activity [1].

References

CVE-2026-6624

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Kashipara Group/Billing Softwarellm-fuzzy
Range: = 2025.3.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6624

Credits

4(
4m3rr0r (VulDB User)
reporter
VC
VulDB CNA Team
coordinator