CVE-2026-5783 Beyaz Computer Software Design Industry and Trade Ltd. Co. CVE debrief

Who should care

CityPLus administrators, security teams, and organizations exposing CityPLus to users over the web should treat this as a priority update. End users who routinely access CityPLus in a browser may also be affected if they click crafted links or interact with malicious page content.

Technical summary

The issue is an improper neutralization of input during web page generation, classified as CWE-79 (cross-site scripting). The NVD vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H, indicating remote exploitation without privileges but with required user interaction. The affected release window is CityPLus before V24.29750.1.0.

Defensive priority

High priority for any internet-accessible CityPLus deployment, especially where users may follow links or interact with reflected request parameters.

Recommended defensive actions

• Upgrade CityPLus to V24.29750.1.0 or later.
• Review exposed CityPLus endpoints that reflect request data into HTML responses.
• Warn users to avoid opening untrusted CityPLus links until remediation is complete.
• Monitor for anomalous browser-side behavior or reports of injected content in CityPLus pages.

Evidence notes

The vulnerability description and affected version come from the official CVE/NVD record and the referenced USOM security notice. NVD lists the weakness as CWE-79 and marks the vulnerability status as Deferred. No exploit details or additional product behavior beyond the supplied sources are assumed.

Official resources