CVE-2026-2347

CRITICAL · 9.8

hype MOSTLY HYPE · 28 hack

Same-day publication; no KEV, no PoC, no patch; mostly feed amplification.

What: Authorization bypass via user-controlled keys in Akilli Commerce E-Commerce Website <4.5.001, enabling session hijacking. CVSS 9.8 CRITICAL.

Why it matters: Published today with CRITICAL severity and CVSS 9.8, but not yet KEV-listed. No public PoC confirmed in chatter. Posts are minimal and mostly automated feeds/news aggregators repeating the NVD description. No vendor patch advisory or defender triage reports visible. Early signal only.

Where it's seen: Bluesky posts linking to threat intelligence feeds and security news sites, all timestamp-matched to NVD publication (2–4 hours ago). No independent researcher commentary, no PoC repository activity, no vendor statement.

RISK: CRITICAL — CVSS 9.8 authorization bypass affecting e-commerce deployments; session hijacking risk.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/14/2026, 2:04:36 PM

Description

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.

CVSS 3.1 breakdown

Exploitability 3.9 · Impact 5.9

vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-639

References

Other · 1

https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222