{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6623", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T16:32:17.535Z", "datePublished": "2026-04-20T09:00:20.118Z", "dateUpdated": "2026-04-20T15:29:21.949Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T09:00:20.118Z"}, "title": "BichitroGan ISP Billing Software Profile users-view cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "BichitroGan", "product": "ISP Billing Software", "versions": [{"version": "2025.3.20", "status": "affected"}], "modules": ["Profile Page Handler"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T18:37:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "4m3rr0r (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358258", "name": "VDB-358258 | BichitroGan ISP Billing Software Profile users-view cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358258/cti", "name": "VDB-358258 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792394", "name": "Submit #792394 | BichitroGan ISP Billing System 2025.3.20 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/4m3rr0r/PoCVulDb/issues/17", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:28:22.299960Z", "id": "CVE-2026-6623", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:29:21.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6623", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:28:22.299960Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:28:44.595Z"}}], "cna": {"title": "BichitroGan ISP Billing Software Profile users-view cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "4m3rr0r (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "BichitroGan", "modules": ["Profile Page Handler"], "product": "ISP Billing Software", "versions": [{"status": "affected", "version": "2025.3.20"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T18:37:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358258", "name": "VDB-358258 | BichitroGan ISP Billing Software Profile users-view cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358258/cti", "name": "VDB-358258 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792394", "name": "Submit #792394 | BichitroGan ISP Billing System 2025.3.20 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/4m3rr0r/PoCVulDb/issues/17", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T09:00:20.118Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6623", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:29:21.949Z", "dateReserved": "2026-04-19T16:32:17.535Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T09:00:20.118Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6623", "lastModified": "2026-04-20T10:16:17.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T10:16:17.403", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/4m3rr0r/PoCVulDb/issues/17"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792394"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358258"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358258/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2025.3.20"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ISP Billing Software", "source": "cna", "vendor": "BichitroGan"}, "product": "isp_billing_software", "vendor": "bichitrogan"}], "analysis": {"en": {"generated_at": "2026-04-20T10:50:46.728980+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of BichitroGan ISP Billing Software that addresses the reflected XSS in the Profile Page handler.", "If an official patch is unavailable, sanitize all input parameters for the \"/?_route=settings/users-view/\" route and encode output before rendering to the browser.", "Configure or enable a web application firewall to detect and block typical reflected XSS payloads on the affected endpoint.", "Monitor page logs for anomalous script injection attempts and verify that no client\u2011side scripts are executing on profile pages."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is BichitroGan ISP Billing Software version 2025.3.20. The vulnerability resides in the Profile Page Handler component, specifically the \"settings/users-view\" route.\n\nUsers of this version who access the affected page are at risk of client\u2011side compromise.\n\nNo other vendors or versions are listed in the current data.\n", "description_and_impact": "The application contains a flaw that allows an attacker to inject arbitrary client\u2011side scripts via the \"/?_route=settings/users-view/\" endpoint. The input is reflected in the page without proper encoding, making it possible for an attacker to run malicious code in the browser when a user views the profile page. While the impact is limited to the victim\u2019s browser, the injected code can steal session tokens, modify page content, or trigger phishing actions.\n\nThe vulnerability is a classic reflected XSS that can be performed remotely by sending a crafted HTTP request to the exposed route. The attacker need only access the web interface and can target any user who visits the affected page. Because it is not a privilege\u2011escalation flaw, the risk is confined to the client side but can lead to credential theft and further attacks.\n\nThe CVSS score of 4.8 reflects a low severity overall, yet the lack of a mitigated environment and the potential for exploitation could have significant operational impacts. No exploit probability data are published, and the vulnerability is not in the CISA KEV list, implying limited known exploitation at this time.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a low severity, but the remote nature of the attack means an external party can trigger the injection by simply sending a crafted HTTP request. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread or confirmed exploitation at present. The risk is limited to the victim\u2019s browser session; however, compromised sessions can lead to credential theft, unauthorized actions performed in the user\u2019s context, and phishing. Since no privilege escalation is involved, the overall system integrity remains intact.\n\nGiven the low score but potential for credential and session hijacking, the vulnerability should be addressed promptly."}}}}, "created": "2026-04-20T11:00:05.085470+00:00", "updated": "2026-04-20T14:57:56.135447+00:00", "vendors": ["bichitrogan", "bichitrogan$PRODUCT$isp_billing_software"]}