CVE-2026-35096
Deferred Deferred - Pending Action

Cross-Site Request Forgery in KTM System e-BOK

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CERT.PL

Description
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction. This issue was fixed in the patch published in June 2026.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-35096
EUVD
EUVD-2026-40323

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ktm system_e-bok to 2026-06 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The KTM System e-BOK is vulnerable to Cross-Site Request Forgery (CSRF) attacks in its email-change and password-change features.

An attacker can create a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the KTM System e-BOK application.

This forged request allows the attacker to change the victim's email or password without their knowledge or interaction.

Impact Analysis

This vulnerability can lead to unauthorized changes to your account's email address or password.

An attacker exploiting this flaw could take control of your account by changing your login credentials without your consent.

This could result in loss of access to your account, potential data exposure, and unauthorized actions performed under your identity.

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch released in June 2026 that fixes the Cross-Site Request Forgery (CSRF) issue in KTM System e-BOK's email-change and password-change functionalities.

Additionally, as a general best practice, consider implementing CSRF protection mechanisms such as anti-CSRF tokens and ensuring users log out from the application when not in use.

Compliance Impact

The vulnerability in KTM System e-BOK allows an attacker to perform unauthorized email and password changes via Cross-Site Request Forgery (CSRF). Such unauthorized changes can lead to unauthorized access or modification of user accounts, potentially compromising personal data.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized account changes can increase the risk of data breaches or unauthorized data access, which are critical concerns under these regulations.

Therefore, this vulnerability could negatively impact compliance with data protection regulations by exposing personal data to unauthorized access or modification if exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart