Common Weakness Enumeration

CWE-754

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

CVE-2026-49316 (GCVE-0-2026-49316)

Vulnerability from cvelistv5 – Published: 2026-05-29 12:39 – Updated: 2026-06-27 08:47
VLAI
Title
Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown
Summary
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-440 - Expected Behavior Violation
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
  • CWE-693 - Protection Mechanism Failure
Assigner
References
URL Tags
https://cwe.mitre.org/data/definitions/440.html technical-description
Impacted products
Vendor Product Version
Indian Motorcycle Scout Bobber + Tech Affected: 2025 (model-year)
Create a notification for this product.
Date Public
2026-05-29 15:00
Credits
Scott Sheahan, Rustic Security LLC
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49316",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:26:52.193932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:26:58.445Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Wireless Control Module (WCM)"
          ],
          "platforms": [
            "OEM Motorcycle"
          ],
          "product": "Scout Bobber + Tech",
          "vendor": "Indian Motorcycle",
          "versions": [
            {
              "status": "affected",
              "version": "2025",
              "versionType": "model-year"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Sheahan, Rustic Security LLC"
        }
      ],
      "datePublic": "2026-05-29T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eExpected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle\u0027s anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller\u0027s transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.\u003c/p\u003e"
            }
          ],
          "value": "Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle\u0027s anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller\u0027s transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Obstruction"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Software Integrity Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440 Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-693",
              "description": "CWE-693 Protection Mechanism Failure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T08:47:44.904Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/440.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTreat absence of the WCM heartbeat as a security event in peer ECUs \u2014 command shutdown if the WCM\u0027s periodic message is missing beyond a bounded interval. Authenticate the heartbeat with AUTOSAR SecOC or equivalent to prevent post-silence spoofing. Auto-recover the WCM from bus-off and log the event.\u003c/p\u003e"
            }
          ],
          "value": "Treat absence of the WCM heartbeat as a security event in peer ECUs \u2014 command shutdown if the WCM\u0027s periodic message is missing beyond a bounded interval. Authenticate the heartbeat with AUTOSAR SecOC or equivalent to prevent post-silence spoofing. Auto-recover the WCM from bus-off and log the event."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-26T00:00:00.000Z",
          "value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
        }
      ],
      "title": "Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2026-49316",
    "datePublished": "2026-05-29T12:39:23.104Z",
    "dateReserved": "2026-05-29T07:26:43.198Z",
    "dateUpdated": "2026-06-27T08:47:44.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49317 (GCVE-0-2026-49317)

Vulnerability from cvelistv5 – Published: 2026-05-29 12:42 – Updated: 2026-06-27 08:48
VLAI
Title
Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Summary
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-696 - Incorrect Behavior Order
  • CWE-636 - Not Failing Securely ('Failing Open')
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
URL Tags
https://cwe.mitre.org/data/definitions/696.html technical-description
Impacted products
Vendor Product Version
Indian Motorcycle Scout Bobber + Tech Affected: 2025 (model-year)
Create a notification for this product.
Credits
Scott Sheahan, Rustic Security LLC
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49317",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:26:06.725714Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:26:14.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Infotainment / Digital Round"
          ],
          "platforms": [
            "OEM Motorcycle"
          ],
          "product": "Scout Bobber + Tech",
          "vendor": "Indian Motorcycle",
          "versions": [
            {
              "status": "affected",
              "version": "2025",
              "versionType": "model-year"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Sheahan, Rustic Security LLC"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIncorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window \u2014 for example via a separately tracked CAN bus-off technique \u2014 can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window \u2014 for example via a separately tracked CAN bus-off technique \u2014 can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Authentication Bypass"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Leveraging Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 1,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696 Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-636",
              "description": "CWE-636 Not Failing Securely (\u0027Failing Open\u0027)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T08:48:05.553Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/696.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eFail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry.\u003c/p\u003e"
            }
          ],
          "value": "Fail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-26T00:00:00.000Z",
          "value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
        }
      ],
      "title": "Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2026-49317",
    "datePublished": "2026-05-29T12:42:27.531Z",
    "dateReserved": "2026-05-29T07:26:43.198Z",
    "dateUpdated": "2026-06-27T08:48:05.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49318 (GCVE-0-2026-49318)

Vulnerability from cvelistv5 – Published: 2026-05-29 13:18 – Updated: 2026-06-27 08:48
VLAI
Title
Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Summary
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-696 - Incorrect Behavior Order
  • CWE-636 - Not Failing Securely ('Failing Open')
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
URL Tags
https://cwe.mitre.org/data/definitions/696.html technical-description
Impacted products
Vendor Product Version
Indian Motorcycle Scout Bobber + Tech Affected: 2025 (model-year)
Create a notification for this product.
Date Public
2026-05-29 15:00
Credits
Scott Sheahan, Rustic Security LLC
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49318",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T14:07:21.099266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T14:07:27.548Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Infotainment / Digital Round"
          ],
          "platforms": [
            "OEM Motorcycle"
          ],
          "product": "Scout Bobber + Tech",
          "vendor": "Indian Motorcycle",
          "versions": [
            {
              "status": "affected",
              "version": "2025",
              "versionType": "model-year"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Sheahan, Rustic Security LLC"
        }
      ],
      "datePublic": "2026-05-29T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIncorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window \u2014 for example via a separately tracked CAN bus-off technique \u2014 can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window \u2014 for example via a separately tracked CAN bus-off technique \u2014 can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Authentication Bypass"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Leveraging Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 1,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696 Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-636",
              "description": "CWE-636 Not Failing Securely (\u0027Failing Open\u0027)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T08:48:24.495Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/696.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eFail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry.\u003c/p\u003e"
            }
          ],
          "value": "Fail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-26T00:00:00.000Z",
          "value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
        }
      ],
      "title": "Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2026-49318",
    "datePublished": "2026-05-29T13:18:52.305Z",
    "dateReserved": "2026-05-29T07:26:43.198Z",
    "dateUpdated": "2026-06-27T08:48:24.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49325 (GCVE-0-2026-49325)

Vulnerability from cvelistv5 – Published: 2026-05-29 12:37 – Updated: 2026-06-27 08:47
VLAI
Title
Indian Scout Bobber 2025 WCM voltage-based shutdown
Summary
Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1384 - Improper Handling of Physical or Environmental Conditions
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
  • CWE-693 - Protection Mechanism Failure
Assigner
References
URL Tags
https://cwe.mitre.org/data/definitions/1384.html technical-description
Impacted products
Vendor Product Version
Indian Motorcycle Scout Bobber + Tech Affected: 2025 (model-year)
Create a notification for this product.
Date Public
2026-05-29 15:00
Credits
Scott Sheahan, Rustic Security LLC
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49325",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:27:10.878359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:27:16.405Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Wireless Control Module (WCM)",
            "Vehicle Control Module (VCM)"
          ],
          "platforms": [
            "OEM Motorcycle"
          ],
          "product": "Scout Bobber + Tech",
          "vendor": "Indian Motorcycle",
          "versions": [
            {
              "status": "affected",
              "version": "2025",
              "versionType": "model-year"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Sheahan, Rustic Security LLC"
        }
      ],
      "datePublic": "2026-05-29T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider\u0027s PIN. Specific connector details have been withheld pending vendor remediation.\u003c/p\u003e"
            }
          ],
          "value": "Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider\u0027s PIN. Specific connector details have been withheld pending vendor remediation."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Physically Hacking Hardware"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Hardware Fault Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1384",
              "description": "CWE-1384 Improper Handling of Physical or Environmental Conditions",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-693",
              "description": "CWE-693 Protection Mechanism Failure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T08:47:24.244Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/1384.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUse a positive-validation heartbeat: the receiving ECU should require a periodic rising-edge or signed message from the WCM and treat its absence as the shutdown command (fail-secure). Combine with CAN-A liveness validation. Add tamper-evident sealing on the WCM connector.\u003c/p\u003e"
            }
          ],
          "value": "Use a positive-validation heartbeat: the receiving ECU should require a periodic rising-edge or signed message from the WCM and treat its absence as the shutdown command (fail-secure). Combine with CAN-A liveness validation. Add tamper-evident sealing on the WCM connector."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-03-26T00:00:00.000Z",
          "value": "Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)"
        }
      ],
      "title": "Indian Scout Bobber 2025 WCM voltage-based shutdown",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2026-49325",
    "datePublished": "2026-05-29T12:37:41.867Z",
    "dateReserved": "2026-05-29T07:26:43.199Z",
    "dateUpdated": "2026-06-27T08:47:24.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5343 (GCVE-0-2026-5343)

Vulnerability from cvelistv5 – Published: 2026-05-28 22:48 – Updated: 2026-05-29 18:38
VLAI
Title
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
Drupal SAML SSO - Service Provider Affected: 0.0.0 , < 3.1.4 (semver)
Create a notification for this product.
Date Public
2026-04-01 16:38
Credits
Tim de Jong | Freelance Drupal Developer (tim_dj) Sudhanshu Dhage (sudhanshu0542) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Juraj Nemec (poker10) Jess (xjm)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-5343",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T18:38:28.307589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T18:38:36.072Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/miniorange_saml",
          "defaultStatus": "unaffected",
          "product": "SAML SSO - Service Provider",
          "repo": "https://git.drupalcode.org/project/miniorange_saml",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "3.1.4",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tim de Jong | Freelance Drupal Developer (tim_dj)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sudhanshu Dhage (sudhanshu0542)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Damien McKenna (damienmckenna)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2026-04-01T16:38:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\u003cp\u003eThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\n\nThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T22:48:47.591Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2026-031"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SAML SSO - Service Provider  - Critical - Authentication bypass - SA-CONTRIB-2026-031",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2026-5343",
    "datePublished": "2026-05-28T22:48:47.591Z",
    "dateReserved": "2026-04-01T15:41:53.003Z",
    "dateUpdated": "2026-05-29T18:38:36.072Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54269 (GCVE-0-2026-54269)

Vulnerability from cvelistv5 – Published: 2026-06-22 16:23 – Updated: 2026-06-23 16:09
VLAI
Title
protobufjs: Schema-derived names can shadow runtime-significant properties
Summary
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-674 - Uncontrolled Recursion
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
protobufjs protobuf.js Affected: < 7.6.3
Affected: >= 8.0.0, < 8.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54269",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T16:07:04.844722Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T16:09:36.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "protobuf.js",
          "vendor": "protobufjs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.6.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T16:23:24.383Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f38q-mgvj-vph7"
        }
      ],
      "source": {
        "advisory": "GHSA-f38q-mgvj-vph7",
        "discovery": "UNKNOWN"
      },
      "title": "protobufjs: Schema-derived names can shadow runtime-significant properties"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54269",
    "datePublished": "2026-06-22T16:23:24.383Z",
    "dateReserved": "2026-06-12T17:13:32.279Z",
    "dateUpdated": "2026-06-23T16:09:36.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54775 (GCVE-0-2026-54775)

Vulnerability from cvelistv5 – Published: 2026-07-08 22:13 – Updated: 2026-07-09 14:20
VLAI
Title
CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.
Summary
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-248 - Uncaught Exception
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
  • CWE-755 - Improper Handling of Exceptional Conditions
Assigner
Impacted products
Vendor Product Version
CoreWCF CoreWCF Affected: >= 1.9.0, < 1.9.1
Affected: < 1.8.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54775",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:20:22.314924Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:20:32.975Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CoreWCF",
          "vendor": "CoreWCF",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.9.0, \u003c 1.9.1"
            },
            {
              "status": "affected",
              "version": "\u003c 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T22:13:37.611Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6"
        },
        {
          "name": "https://github.com/CoreWCF/CoreWCF/commit/1a229d0d14a07766302f7d14c866889f04a3a624",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/commit/1a229d0d14a07766302f7d14c866889f04a3a624"
        },
        {
          "name": "https://github.com/CoreWCF/CoreWCF/commit/6d7431ebc0ebe6521ea6d0dbea8982bac3d2bc98",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/commit/6d7431ebc0ebe6521ea6d0dbea8982bac3d2bc98"
        },
        {
          "name": "https://github.com/CoreWCF/CoreWCF/commit/8f95f3ac3c929409e830b5c5659683ef9f6ea6b0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/commit/8f95f3ac3c929409e830b5c5659683ef9f6ea6b0"
        },
        {
          "name": "https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1"
        },
        {
          "name": "https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1"
        }
      ],
      "source": {
        "advisory": "GHSA-m744-jhq9-ppw6",
        "discovery": "UNKNOWN"
      },
      "title": "CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service."
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54775",
    "datePublished": "2026-07-08T22:13:37.611Z",
    "dateReserved": "2026-06-15T23:23:57.713Z",
    "dateUpdated": "2026-07-09T14:20:32.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55577 (GCVE-0-2026-55577)

Vulnerability from cvelistv5 – Published: 2026-07-01 18:56 – Updated: 2026-07-01 19:24
VLAI
Title
ImageMagick: Heap Buffer Overflow in ImageMagick MVG decoder
Summary
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
  • CWE-755 - Improper Handling of Exceptional Conditions
  • CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Vendor Product Version
ImageMagick ImageMagick Affected: >= 7.0.1-0, < 7.1.2-26
Affected: < 6.9.13-51
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55577",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T19:24:24.858753Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T19:24:45.452Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ImageMagick",
          "vendor": "ImageMagick",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.1-0, \u003c 7.1.2-26"
            },
            {
              "status": "affected",
              "version": "\u003c 6.9.13-51"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T18:56:28.768Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wx47-rm3x-jx6p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wx47-rm3x-jx6p"
        }
      ],
      "source": {
        "advisory": "GHSA-wx47-rm3x-jx6p",
        "discovery": "UNKNOWN"
      },
      "title": "ImageMagick: Heap Buffer Overflow in ImageMagick MVG decoder"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55577",
    "datePublished": "2026-07-01T18:56:28.768Z",
    "dateReserved": "2026-06-16T23:11:20.215Z",
    "dateUpdated": "2026-07-01T19:24:45.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56812 (GCVE-0-2026-56812)

Vulnerability from cvelistv5 – Published: 2026-07-07 15:22 – Updated: 2026-07-07 16:11
VLAI
Title
Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
EEF
Impacted products
Vendor Product Version
phoenixframework phoenix Affected: 1.2.0-rc.0 , < 1.5.15 (semver)
Affected: 1.6.0-rc.0 , < 1.6.17 (semver)
Affected: 1.7.0-rc.0 , < 1.7.24 (semver)
Affected: 1.8.0-rc.0 , < 1.8.9 (semver)
    cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*
Create a notification for this product.
phoenixframework phoenix Affected: 2270aaf21bd02c6a6a1022820564efb605a97655 , < * (git)
    cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Jonatan Männchen José Valim Steffen Deusch
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56812",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-07T16:11:03.353715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T16:11:10.938Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Presence"
          ],
          "packageName": "phoenix",
          "packageURL": "pkg:hex/phoenix",
          "product": "phoenix",
          "programFiles": [
            "assets/js/phoenix/presence.js"
          ],
          "programRoutines": [
            {
              "name": "Presence.syncState"
            },
            {
              "name": "Presence.syncDiff"
            }
          ],
          "repo": "https://github.com/phoenixframework/phoenix",
          "vendor": "phoenixframework",
          "versions": [
            {
              "lessThan": "1.5.15",
              "status": "affected",
              "version": "1.2.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.6.17",
              "status": "affected",
              "version": "1.6.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.7.24",
              "status": "affected",
              "version": "1.7.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.8.9",
              "status": "affected",
              "version": "1.8.0-rc.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://registry.npmjs.org",
          "cpes": [
            "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Presence"
          ],
          "packageName": "phoenix",
          "packageURL": "pkg:npm/phoenix",
          "product": "phoenix",
          "programFiles": [
            "assets/js/phoenix/presence.js"
          ],
          "programRoutines": [
            {
              "name": "Presence.syncState"
            },
            {
              "name": "Presence.syncDiff"
            }
          ],
          "repo": "https://github.com/phoenixframework/phoenix",
          "vendor": "phoenixframework",
          "versions": [
            {
              "lessThan": "1.5.15",
              "status": "affected",
              "version": "1.2.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.6.17",
              "status": "affected",
              "version": "1.6.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.7.24",
              "status": "affected",
              "version": "1.7.0-rc.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.8.9",
              "status": "affected",
              "version": "1.8.0-rc.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Presence"
          ],
          "packageName": "phoenixframework/phoenix",
          "packageURL": "pkg:github/phoenixframework/phoenix",
          "product": "phoenix",
          "programFiles": [
            "assets/js/phoenix/presence.js"
          ],
          "programRoutines": [
            {
              "name": "Presence.syncState"
            },
            {
              "name": "Presence.syncDiff"
            }
          ],
          "repo": "https://github.com/phoenixframework/phoenix",
          "vendor": "phoenixframework",
          "versions": [
            {
              "changes": [
                {
                  "at": "7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8",
                  "status": "unaffected"
                },
                {
                  "at": "89a1c4be161e436241e12b2378a719904b9bd96f",
                  "status": "unaffected"
                },
                {
                  "at": "b90b22521465ece00eb5a19d5aa2b9465b209c85",
                  "status": "unaffected"
                },
                {
                  "at": "beffc4da1e787e572121f68902c63daf4fe7d9c2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "2270aaf21bd02c6a6a1022820564efb605a97655",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe application must use \u003ctt\u003ePhoenix.Presence\u003c/tt\u003e (or otherwise drive the Phoenix JavaScript presence client) and track presences under keys that are influenced by untrusted client input, for example a username or id chosen by the connecting user. Applications that derive presence keys exclusively from server-controlled, validated values are not affected.\u003c/p\u003e"
            }
          ],
          "value": "The application must use Phoenix.Presence (or otherwise drive the Phoenix JavaScript presence client) and track presences under keys that are influenced by untrusted client input, for example a username or id chosen by the connecting user. Applications that derive presence keys exclusively from server-controlled, validated values are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.5.15",
                  "versionStartIncluding": "1.2.0-rc.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.17",
                  "versionStartIncluding": "1.6.0-rc.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.7.24",
                  "versionStartIncluding": "1.7.0-rc.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.8.9",
                  "versionStartIncluding": "1.8.0-rc.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jos\u00e9 Valim"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Steffen Deusch"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003eassets/js/phoenix/presence.js\u003c/tt\u003e and program routines \u003ctt\u003ePresence.syncState\u003c/tt\u003e and \u003ctt\u003ePresence.syncDiff\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (\u003ctt\u003estate[key]\u003c/tt\u003e) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an \u003ctt\u003eObject.prototype\u003c/tt\u003e member name (\u003ctt\u003e__proto__\u003c/tt\u003e, \u003ctt\u003econstructor\u003c/tt\u003e, \u003ctt\u003etoString\u003c/tt\u003e, \u003ctt\u003ehasOwnProperty\u003c/tt\u003e, and similar) makes that lookup return JavaScript\u0027s built-in \u003ctt\u003eObject.prototype\u003c/tt\u003e instead of \u003ctt\u003eundefined\u003c/tt\u003e. Because the prototype is truthy, the code treats it as an existing presence and reads \u003ctt\u003e.metas.map(...)\u003c/tt\u003e off it, which throws an uncaught \u003ctt\u003eTypeError\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe exception propagates out of the presence message handler, so the local state is never updated and \u003ctt\u003eonSync()\u003c/tt\u003e never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both \u003ctt\u003esyncState\u003c/tt\u003e and \u003ctt\u003esyncDiff\u003c/tt\u003e use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of \u003ctt\u003eObject.prototype\u003c/tt\u003e (it is not prototype pollution).\u003c/p\u003e\u003cp\u003eThis issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.\u003c/p\u003e"
            }
          ],
          "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.\n\nThis vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff.\n\nThe Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript\u0027s built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError.\n\nThe exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution).\n\nThis issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153 Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T16:11:22.228Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-56812.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-56812"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/phoenixframework/phoenix/commit/7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/phoenixframework/phoenix/commit/89a1c4be161e436241e12b2378a719904b9bd96f"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/phoenixframework/phoenix/commit/b90b22521465ece00eb5a19d5aa2b9465b209c85"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/phoenixframework/phoenix/commit/beffc4da1e787e572121f68902c63daf4fe7d9c2"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eReject or sanitize presence keys that collide with JavaScript \u003ctt\u003eObject.prototype\u003c/tt\u003e member names (for example \u003ctt\u003e__proto__\u003c/tt\u003e, \u003ctt\u003econstructor\u003c/tt\u003e, \u003ctt\u003eprototype\u003c/tt\u003e, \u003ctt\u003etoString\u003c/tt\u003e, \u003ctt\u003ehasOwnProperty\u003c/tt\u003e) before calling \u003ctt\u003ePhoenix.Presence.track\u003c/tt\u003e, or namespace every presence key with a fixed prefix so that no key can equal a prototype member name. Alternatively, derive presence keys from server-controlled, validated values instead of raw user input.\u003c/p\u003e"
            }
          ],
          "value": "Reject or sanitize presence keys that collide with JavaScript Object.prototype member names (for example __proto__, constructor, prototype, toString, hasOwnProperty) before calling Phoenix.Presence.track, or namespace every presence key with a fixed prefix so that no key can equal a prototype member name. Alternatively, derive presence keys from server-controlled, validated values instead of raw user input."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-56812",
    "datePublished": "2026-07-07T15:22:46.933Z",
    "dateReserved": "2026-06-23T12:29:02.507Z",
    "dateUpdated": "2026-07-07T16:11:22.228Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-57020 (GCVE-0-2026-57020)

Vulnerability from cvelistv5 – Published: 2026-07-09 21:05 – Updated: 2026-07-10 13:29
VLAI
Title
Junos OS: QFX10000 Series: IPv6 multicast traffic received on non-IRB interfaces causes a multicast flood
Summary
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS). On all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI) leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic. This issue affects Junos OS on QFX10000 Series: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S8, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S4. This issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
Juniper Networks Junos OS Affected: 0 , < 23.2R2-S7 (custom)
Affected: 23.4 , < 23.4R2-S8 (custom)
Affected: 24.2 , < 24.2R2-S4 (custom)
Affected: 24.4 , < 24.4R2-S4 (custom)
Create a notification for this product.
Date Public
2026-07-08 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-57020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T13:28:54.914596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T13:29:08.357Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "QFX10000 Series"
          ],
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "23.2R2-S7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "23.4R2-S8",
              "status": "affected",
              "version": "23.4",
              "versionType": "custom"
            },
            {
              "lessThan": "24.2R2-S4",
              "status": "affected",
              "version": "24.2",
              "versionType": "custom"
            },
            {
              "lessThan": "24.4R2-S4",
              "status": "affected",
              "version": "24.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2026-07-08T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\u003cp\u003e\n\nOn all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI)\u0026nbsp;leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003eThis issue affects Junos OS on QFX10000 Series:\u003cbr\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 23.2R2-S7,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S8,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2-S4,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R2-S4.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003eThis issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore.\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\n\nOn all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI)\u00a0leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic.\n\n\n\nThis issue affects Junos OS on QFX10000 Series:\n\n\n  *  all versions before 23.2R2-S7,\n  *  23.4 versions before 23.4R2-S8,\n  *  24.2 versions before 24.2R2-S4,\n  *  24.4 versions before 24.4R2-S4.\n\n\n\nThis issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
            }
          ],
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T21:05:07.368Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://supportportal.juniper.net/JSA110080"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 23.2R2-S7, 23.4R2-S8, 24.2R2-S4, 24.4R2-S4."
            }
          ],
          "value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 23.2R2-S7, 23.4R2-S8, 24.2R2-S4, 24.4R2-S4."
        }
      ],
      "source": {
        "advisory": "JSA110080",
        "defect": [
          "1916949"
        ],
        "discovery": "USER"
      },
      "title": "Junos OS: QFX10000 Series: IPv6 multicast traffic received on non-IRB interfaces causes a multicast flood",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There are no known workarounds for this issue."
            }
          ],
          "value": "There are no known workarounds for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2026-57020",
    "datePublished": "2026-07-09T21:05:07.368Z",
    "dateReserved": "2026-06-23T16:27:00.248Z",
    "dateUpdated": "2026-07-10T13:29:08.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-3

Phase: Requirements

Strategy: Language Selection

Description:

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation

Phase: Implementation

Description:

  • Check the results of all functions that return a value and verify that the value is expected.
Mitigation

Phase: Implementation

Description:

  • If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation ID: MIT-39

Phase: Implementation

Description:

  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation ID: MIT-5

Phase: Implementation

Strategy: Input Validation

Description:

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation ID: MIT-38

Phases: Architecture and Design, Implementation

Description:

  • If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation

Phase: Architecture and Design

Description:

  • Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page