{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1619", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2026-01-29T14:06:14.343Z", "datePublished": "2026-02-13T13:20:54.637Z", "dateUpdated": "2026-02-13T16:59:48.958Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "FlexCity/Kiosk", "vendor": "Universal Software Inc.", "versions": [{"lessThan": "1.0.36", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u0130brahim Y\u0130\u011e\u0130TSOY"}], "datePublic": "2026-02-13T13:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.<p>This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36."}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2026-02-13T13:20:54.637Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-26-0065"}], "source": {"advisory": "TR-26-0065", "defect": ["TR-26-0065"], "discovery": "UNKNOWN"}, "title": "IDOR in Universal Sotware's FlexCity/Kiosk", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T16:59:38.442129Z", "id": "CVE-2026-1619", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T16:59:48.958Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1619", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2026-01-29T14:06:14.343Z", "datePublished": "2026-02-13T13:20:54.637Z", "dateUpdated": "2026-02-13T16:59:48.958Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "FlexCity/Kiosk", "vendor": "Universal Software Inc.", "versions": [{"lessThan": "1.0.36", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u0130brahim Y\u0130\u011e\u0130TSOY"}], "datePublic": "2026-02-13T13:16:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.<p>This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36."}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2026-02-13T13:20:54.637Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-26-0065"}], "source": {"advisory": "TR-26-0065", "defect": ["TR-26-0065"], "discovery": "UNKNOWN"}, "title": "IDOR in Universal Sotware's FlexCity/Kiosk", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-13T16:59:38.442129Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T16:59:44.470Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uni-yaz:flexcity:*:*:*:*:*:*:*:*", "matchCriteriaId": "1622F35A-B519-4678-B1C5-43548BCA9A78", "versionEndExcluding": "1.0.36", "versionStartIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36."}, {"lang": "es", "value": "Vulnerabilidad de elusi\u00f3n de autorizaci\u00f3n mediante clave controlada por el usuario en Universal Software Inc. FlexCity/Kiosk permite la explotaci\u00f3n de identificadores de confianza. Este problema afecta a FlexCity/Kiosk: desde 1.0 antes de 1.0.36."}], "id": "CVE-2026-1619", "lastModified": "2026-03-02T13:38:01.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "iletisim@usom.gov.tr", "type": "Primary"}]}, "published": "2026-02-13T14:16:10.067", "references": [{"source": "iletisim@usom.gov.tr", "tags": ["Third Party Advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-26-0065"}], "sourceIdentifier": "iletisim@usom.gov.tr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "iletisim@usom.gov.tr", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0.36)"}}], "product": "flexcity/kiosk", "vendor": "universal_software_inc."}], "analysis": {"en": {"generated_at": "2026-04-18T12:31:04.583044+00:00", "value": {"mitigation_remediation": ["Upgrade FlexCity/Kiosk to version 1.0.36 or later to remove the unchecked reference handling.", "Validate any user-supplied identifier against a whitelist of legitimate values and reject requests that do not match an approved set.", "Restrict network and role access to the API or UI components that expose trusted identifiers, ensuring that only users with the appropriate privileges can request or modify them.", "Monitor logs for unusual usage of trusted identifiers and set alerts for repeated or suspicious request patterns."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This issue affects Universal Software Inc.\u2019s FlexCity/Kiosk product versions before 1.0.36. Exposed trust in user-controlled identifiers allows exploitation across any installation running those earlier releases.", "description_and_impact": "The vulnerability is an IDOR that permits an attacker with a user-controlled key to bypass authorization checks and gain access to data or functions that should be restricted. This can result in unauthorised disclosure, modification of trusted identifiers, or other privileged operations, directly compromising the confidentiality and integrity of the application. Based on the description, it is inferred that the attacker must craft requests containing a trusted identifier to exploit the bypass.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.3 and an EPSS score below 1\u202f%, indicating low current exploitation probability. It is not listed in KEV, suggesting no widespread, known active exploitation. An attacker can carry out the attack by crafting requests that include a trusted identifier; the vulnerability exploits improper reference validation, classified as CWE\u2011639. Based on the description, it is inferred that the likely attack vector involves sending crafted HTTP requests with a user-controlled trusted identifier."}}}}, "created": "2026-02-13T21:28:39.445293+00:00", "updated": "2026-04-18T12:45:45.658946+00:00", "vendors": ["universal_software_inc.", "universal_software_inc.$PRODUCT$flexcity/kiosk"]}