CVE-2026-35096: CWE-352: Cross-Site Request Forgery (CSRF) in KTM System e-BOK
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction. This issue was fixed in the patch published in June 2026.
AI Analysis
Technical Summary
CVE-2026-35096 describes a CSRF vulnerability in KTM System e-BOK affecting the email-change and password-change features. An attacker can exploit this by inducing an authenticated user to visit a malicious site that sends forged POST requests to the application, resulting in unauthorized changes to the user's credentials. The vulnerability was fixed by a patch published in June 2026. No specific affected versions were provided. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on integrity.
Potential Impact
Successful exploitation allows an attacker to change the email address or password of an authenticated user without their knowledge or interaction, potentially leading to account takeover or denial of access for the legitimate user. The impact is rated medium with a CVSS score of 5.1, reflecting limited but significant risk.
Mitigation Recommendations
A patch addressing this vulnerability was released in June 2026. Users and administrators should apply the official patch to remediate the issue. Since the vendor advisory or patch links are not explicitly provided, verify and obtain the patch from the official KTM System channels. No alternative mitigations or temporary fixes are indicated.
CVE-2026-35096: CWE-352: Cross-Site Request Forgery (CSRF) in KTM System e-BOK
Description
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction. This issue was fixed in the patch published in June 2026.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35096 describes a CSRF vulnerability in KTM System e-BOK affecting the email-change and password-change features. An attacker can exploit this by inducing an authenticated user to visit a malicious site that sends forged POST requests to the application, resulting in unauthorized changes to the user's credentials. The vulnerability was fixed by a patch published in June 2026. No specific affected versions were provided. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on integrity.
Potential Impact
Successful exploitation allows an attacker to change the email address or password of an authenticated user without their knowledge or interaction, potentially leading to account takeover or denial of access for the legitimate user. The impact is rated medium with a CVSS score of 5.1, reflecting limited but significant risk.
Mitigation Recommendations
A patch addressing this vulnerability was released in June 2026. Users and administrators should apply the official patch to remediate the issue. Since the vendor advisory or patch links are not explicitly provided, verify and obtain the patch from the official KTM System channels. No alternative mitigations or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-01T13:05:10.153Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43cd7c27e9c79719e724bf
Added to database: 06/30/2026, 14:06:52 UTC
Last enriched: 06/30/2026, 14:21:30 UTC
Last updated: 06/30/2026, 15:06:36 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.