CVE-2025-9062 PUBLISHED

IDOR in MeCODE Informatics' Envanty

Assigner: TR-CERT
Reserved: 15.08.2025 Published: 19.02.2026 Updated: 19.02.2026

Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: before 1.0.6.

NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The vulnerability was learned to be remediated through reporter information and testing.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.3

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	MeCODE Informatics and Engineering Services Ltd.
Product	Envanty
Versions	Default: affected affected from 0 to 1.0.6 (excl.)

Credits

Şamil ALPAY finder

References

https://www.usom.gov.tr/bildirim/tr-26-0076

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE

Impacts

CAPEC-137 Parameter Injection