CVE-2025-6967 PUBLISHED

Authentication Bypass in Sarman Soft's CMS

Assigner: TR-CERT
Reserved: 01.07.2025 Published: 10.02.2026 Updated: 10.02.2026

Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.This issue affects CMS: through 10022026.

NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Sarman Soft Software and Technology Services Industry and Trade Ltd. Co.
Product	CMS
Versions	Default: affected affected from 0 to 10022026 (incl.)

Credits

Çetin BİNİCİ finder

References

https://www.usom.gov.tr/bildirim/tr-26-0050

Problem Types

CWE-698 Execution After Redirect (EAR) CWE

Impacts

CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-115 Authentication Bypass