CVE-2026-7380 in Access Control Systeminfo

Summary

by MITRE • 07/07/2026

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows XSS Targeting HTML Attributes.

This issue affects Access Control System (GKS): before Version 2.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability under examination represents a classic cross-site scripting flaw categorized as CWE-79, which occurs when web applications fail to properly sanitize user input before rendering it in HTML contexts. This specific weakness manifests within the Armiya Information Technologies Ltd. Co. Access Control System (GKS) version 2 and earlier implementations, where the system inadequately handles script-related HTML tags during web page generation processes. The vulnerability specifically targets HTML attributes, making it particularly dangerous as it can be exploited to inject malicious scripts that execute within the context of other users' browsers.

The technical flaw stems from insufficient input validation and output encoding mechanisms within the GKS application's rendering pipeline. When user-supplied data containing HTML tags or script elements is processed and displayed without proper sanitization, attackers can manipulate the system to inject malicious payloads directly into HTML attributes such as onclick, onmouseover, or other event handlers. This basic form of XSS vulnerability allows threat actors to bypass standard security measures that typically protect against more sophisticated injection attacks by exploiting the fundamental weakness in how the application processes and renders user-controllable content.

The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it provides attackers with persistent access to compromised systems through browser-based exploitation techniques. The attack surface is particularly concerning given that GKS is an access control system, meaning successful exploitation could potentially grant unauthorized individuals access to physical security controls or compromise the integrity of access logs and authentication mechanisms. The vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript, enabling attackers to execute malicious scripts against users who interact with compromised web pages.

Mitigation strategies should focus on implementing comprehensive input validation and output encoding practices that conform to established security standards such as those outlined in the OWASP Top Ten and NIST guidelines for secure web application development. The system must employ proper HTML escaping mechanisms for all user-controllable data rendered within HTML attributes, utilize Content Security Policy headers to restrict script execution, and implement strict input filtering to prevent malicious payload injection. Additionally, regular security assessments should be conducted to identify similar vulnerabilities across the entire application stack, ensuring that all components follow secure coding practices that prevent the exploitation of similar weaknesses in HTML attribute handling.

Responsible

TR-CERT

Reservation

04/29/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!