Search

Find a vulnerability

Search criteria

    36 vulnerabilities

    CVE-2026-6688 (GCVE-0-2026-6688)

    Vulnerability from cvelistv5 – Published: 2026-07-01 14:01 – Updated: 2026-07-01 15:06
    VLAI
    Title
    FatFs Buffer Overflow via Unbounded LFN Filename Copy
    Summary
    FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6688",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:06:55.618764Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:06:59.026Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
                }
              ],
              "value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120 Buffer Copy without Checking Size of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:01:44.487Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-long-fn-of-downstream-cve-2026-6688/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Buffer Overflow via Unbounded LFN Filename Copy",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6688",
        "datePublished": "2026-07-01T14:01:04.915Z",
        "dateReserved": "2026-04-20T15:06:24.308Z",
        "dateUpdated": "2026-07-01T15:06:59.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6687 (GCVE-0-2026-6687)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:57 – Updated: 2026-07-01 15:06
    VLAI
    Title
    FatFs Stack Buffer Overflow via Uncapped exFAT Label Length
    Summary
    FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6687",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:06:20.995228Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:06:24.705Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
                }
              ],
              "value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:10:29.724Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-exfat-label-len-of-cve-2026-6687/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Stack Buffer Overflow via Uncapped exFAT Label Length",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6687",
        "datePublished": "2026-07-01T13:57:54.242Z",
        "dateReserved": "2026-04-20T15:06:23.356Z",
        "dateUpdated": "2026-07-01T15:06:24.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6686 (GCVE-0-2026-6686)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:55 – Updated: 2026-07-01 15:05
    VLAI
    Title
    FatFs Use of Uninitialized Clusters After Seek Past EOF
    Summary
    FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-908 - Use of uninitialized resource
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6686",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:05:23.138301Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:05:27.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
                }
              ],
              "value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-908",
                  "description": "CWE-908 Use of uninitialized resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:55:09.072Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Use of Uninitialized Clusters After Seek Past EOF",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6686",
        "datePublished": "2026-07-01T13:55:09.072Z",
        "dateReserved": "2026-04-20T15:06:22.242Z",
        "dateUpdated": "2026-07-01T15:05:27.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6685 (GCVE-0-2026-6685)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:47 – Updated: 2026-07-01 15:26
    VLAI
    Title
    FatFs Integer Underflow in Dirty-Sector Cache Flush
    Summary
    FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-191 - Integer underflow (wrap or wraparound)
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6685",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:26:17.001634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:26:37.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u0026gt;sect - sect \u0026lt; cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
                }
              ],
              "value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u003esect - sect \u003c cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191 Integer underflow (wrap or wraparound)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:10:51.392Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-unsigned-sub-wrap-cve-2026-6685/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Integer Underflow in Dirty-Sector Cache Flush",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6685",
        "datePublished": "2026-07-01T13:47:25.764Z",
        "dateReserved": "2026-04-20T15:06:21.250Z",
        "dateUpdated": "2026-07-01T15:26:37.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6684 (GCVE-0-2026-6684)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:25
    VLAI
    Title
    FatFs Infinite Loop in GPT Partition Scan
    Summary
    FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with unreachable exit condition ('infinite loop')
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , < R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6684",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:25:35.369745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:25:53.071Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThan": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eFatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-835",
                  "description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:10:58.544Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Infinite Loop in GPT Partition Scan",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6684",
        "datePublished": "2026-07-01T13:45:03.639Z",
        "dateReserved": "2026-04-20T15:06:20.061Z",
        "dateUpdated": "2026-07-01T15:25:53.071Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6683 (GCVE-0-2026-6683)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:41 – Updated: 2026-07-01 15:24
    VLAI
    Title
    FatFs Divide-by-Zero in exFAT Sync
    Summary
    FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6683",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:24:38.147110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:24:56.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
                }
              ],
              "value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-369",
                  "description": "CWE-369 Divide by zero",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:11:06.688Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-exfat-divide-by-zero-cve-2026-6683"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Divide-by-Zero in exFAT Sync",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6683",
        "datePublished": "2026-07-01T13:41:11.337Z",
        "dateReserved": "2026-04-20T15:06:19.048Z",
        "dateUpdated": "2026-07-01T15:24:56.449Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6682 (GCVE-0-2026-6682)

    Vulnerability from cvelistv5 – Published: 2026-07-01 13:36 – Updated: 2026-07-01 15:24
    VLAI
    Title
    FatFs Integer Overflow in FAT32 Volume Mount
    Summary
    In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer overflow or wraparound
    Assigner
    Impacted products
    Vendor Product Version
    ChaN FatFs Affected: 0 , ≤ R0.16 (custom)
    Create a notification for this product.
    Date Public
    2026-07-01 13:00
    Credits
    HD Moore of runZero, Inc. Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6682",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:23:46.354718Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:24:05.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FatFs",
              "vendor": "ChaN",
              "versions": [
                {
                  "lessThanOrEqual": "R0.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "HD Moore of runZero, Inc."
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-07-01T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u0026gt;n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
                }
              ],
              "value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u003en_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer overflow or wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T14:11:14.785Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/blog/fatfs-bugs/"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://elm-chan.org/fsw/ff/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FatFs Integer Overflow in FAT32 Volume Mount",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-6682",
        "datePublished": "2026-07-01T13:36:59.935Z",
        "dateReserved": "2026-04-20T15:06:18.243Z",
        "dateUpdated": "2026-07-01T15:24:05.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10303 (GCVE-0-2026-10303)

    Vulnerability from cvelistv5 – Published: 2026-06-16 18:24 – Updated: 2026-06-17 15:18
    VLAI
    Title
    ServerCo getssl ACME shell script path injection
    Summary
    In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External control of file name or path
    Assigner
    Impacted products
    Vendor Product Version
    ServerCo getssl Affected: 0 , ≤ 2.49 (custom)
    Create a notification for this product.
    Date Public
    2026-06-16 18:20
    Credits
    remy Tod Beardsley of runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:17:32.277126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:18:11.930Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "getssl",
              "repo": "https://github.com/srvrco/getssl",
              "vendor": "ServerCo",
              "versions": [
                {
                  "lessThanOrEqual": "2.49",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "remy"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero"
            }
          ],
          "datePublic": "2026-06-16T18:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
                }
              ],
              "value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External control of file name or path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:24:43.712Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "mitigation"
              ],
              "url": "https://github.com/srvrco/getssl/pull/896"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/srvrco/getssl/releases/tag/v2.50"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ServerCo getssl ACME shell script path injection",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-10303",
        "datePublished": "2026-06-16T18:24:43.712Z",
        "dateReserved": "2026-05-31T21:05:04.476Z",
        "dateUpdated": "2026-06-17T15:18:11.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50091 (GCVE-0-2026-50091)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 16:22
    VLAI
    Title
    Aqara Home Android SDK hardcoded keys
    Summary
    Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of hard-coded cryptographic key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara com.lumiunited.aqarahome Affected: 6.0.0 , < 0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50091",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:22:49.247673Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:22:58.685Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.lumiunited.aqarahome",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of \"CWE-321: Use of Hard-coded Cryptographic Key\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical)."
                }
              ],
              "value": "Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of \"CWE-321: Use of Hard-coded Cryptographic Key\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of hard-coded cryptographic key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:02:24.208Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-hardcoded-sdk-keys-cve-2026-50091"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara Home Android SDK hardcoded keys",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50091",
        "datePublished": "2026-06-12T15:02:24.208Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T16:22:58.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50090 (GCVE-0-2026-50090)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 15:49
    VLAI
    Title
    Aqara OAuth redirect_uri validation bypass
    Summary
    The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1289 - Improper validation of unsafe equivalence in input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Cloud OAuth Authorization Endpoint Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50090",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:49:22.517830Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:49:43.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Cloud OAuth Authorization Endpoint",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
                }
              ],
              "value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1289",
                  "description": "CWE-1289 Improper validation of unsafe equivalence in input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:02:13.840Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara OAuth redirect_uri validation bypass",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50090",
        "datePublished": "2026-06-12T15:02:13.840Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:49:43.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50089 (GCVE-0-2026-50089)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 15:50
    VLAI
    Title
    Aqara IAM/SSO Gateway open redirect
    Summary
    The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Aqara IAM/SSO Gateway Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50089",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:50:04.675728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:50:31.374Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Aqara IAM/SSO Gateway",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of \"CWE-601: URL Redirection to Untrusted Site,\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.\u003cbr\u003e"
                }
              ],
              "value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of \"CWE-601: URL Redirection to Untrusted Site,\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:02:02.056Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-sso-open-redirect-cve-2026-50089"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara IAM/SSO Gateway open redirect",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50089",
        "datePublished": "2026-06-12T15:02:02.056Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:50:31.374Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50088 (GCVE-0-2026-50088)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:51
    VLAI
    Title
    Aqara Developer Portal cross-origin resource sharing
    Summary
    The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive cross-domain security policy with untrusted domains
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Aqara Developer Portal Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Aqara Aqara Developer Test Portal Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50088",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:51:00.517874Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:51:21.684Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Aqara Developer Portal",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Aqara Developer Test Portal",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
                }
              ],
              "value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:01:49.680Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara Developer Portal cross-origin resource sharing",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50088",
        "datePublished": "2026-06-12T15:01:49.680Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:51:21.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50087 (GCVE-0-2026-50087)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:52
    VLAI
    Title
    Aqara IAM/SSO Gateway cross-origin resource sharing
    Summary
    The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive cross-domain security policy with untrusted domains
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Aqara IAM/SSO Gateway Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:51:57.814157Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:52:19.433Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Aqara IAM/SSO Gateway",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
                }
              ],
              "value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:01:37.508Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-iam-sso-cors-cve-2026-50087"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara IAM/SSO Gateway cross-origin resource sharing",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50087",
        "datePublished": "2026-06-12T15:01:37.508Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:52:19.433Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50086 (GCVE-0-2026-50086)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:48
    VLAI
    Title
    Aqara unauthenticated AES oracle
    Summary
    The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Aqara IAM/SSO Gateway Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50086",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:48:33.784868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:48:59.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Aqara IAM/SSO Gateway",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform\u0027s signing key without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)."
                }
              ],
              "value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform\u0027s signing key without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:01:26.055Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-unauth-aes-oracle-cve-2026-50086"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara unauthenticated AES oracle",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50086",
        "datePublished": "2026-06-12T15:01:26.055Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:48:59.149Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50085 (GCVE-0-2026-50085)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:54
    VLAI
    Title
    Aqara Board IoT insecure debug API
    Summary
    The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing authentication for critical function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Board service Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50085",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:54:13.689198Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:54:34.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Board service",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom\u0027s HiveMQ broker without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices."
                }
              ],
              "value": "The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom\u0027s HiveMQ broker without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing authentication for critical function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:01:13.523Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara Board IoT insecure debug API",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50085",
        "datePublished": "2026-06-12T15:01:13.523Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:54:34.323Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50084 (GCVE-0-2026-50084)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:55
    VLAI
    Title
    Aqara API cross-account access
    Summary
    The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Cloud Production API Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50084",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:55:07.354028Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:55:29.162Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Cloud Production API",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of \"CWE-862: Missing Authorization\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
                }
              ],
              "value": "The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of \"CWE-862: Missing Authorization\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:01:00.952Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-api-access-cve-2026-50084"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara API cross-account access",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50084",
        "datePublished": "2026-06-12T15:01:00.952Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:55:29.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50083 (GCVE-0-2026-50083)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:00 – Updated: 2026-06-12 15:56
    VLAI
    Title
    Aqara hardcoded OAuth client credentials
    Summary
    The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Aquara IAM/SSO Gateway Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50083",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:55:58.127070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:56:21.727Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Aquara IAM/SSO Gateway",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara IAM/SSO Gateway (\u003ccode\u003egw-builder.aqara.com\u003c/code\u003e) used a hardcoded OAuth client credential, which is an instance of\u0026nbsp;\u003cstrong\u003e\"\u003c/strong\u003eCWE-798: Use of Hard-coded Credentials.\" This issue has an estimated CVSS of\u0026nbsp;\u003ccode\u003eCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\u003c/code\u003e\u0026nbsp;(9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
                }
              ],
              "value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of\u00a0\"CWE-798: Use of Hard-coded Credentials.\" This issue has an estimated CVSS of\u00a0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\u00a0(9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:00:49.311Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara hardcoded OAuth client credentials",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50083",
        "datePublished": "2026-06-12T15:00:49.311Z",
        "dateReserved": "2026-06-03T14:25:34.982Z",
        "dateUpdated": "2026-06-12T15:56:21.727Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50082 (GCVE-0-2026-50082)

    Vulnerability from cvelistv5 – Published: 2026-06-12 15:00 – Updated: 2026-06-12 15:53
    VLAI
    Title
    Aqara Developer Portal insecure authentication token
    Summary
    The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Aqara Cloud Developer Portal Affected: 2026-04-20 , < 0 (date)
    Create a notification for this product.
    Date Public
    2026-06-12 15:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50082",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:53:19.154380Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:53:41.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xn0tsa/theres-no-place-like-home"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Cloud Developer Portal",
              "vendor": "Aqara",
              "versions": [
                {
                  "lessThan": "0",
                  "status": "affected",
                  "version": "2026-04-20",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-06-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices."
                }
              ],
              "value": "The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T15:00:31.845Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/theres-no-place-like-home"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/aqara-dev-portal-auth-token-2026-50082"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Aqara Developer Portal insecure authentication token",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-50082",
        "datePublished": "2026-06-12T15:00:31.845Z",
        "dateReserved": "2026-06-03T14:25:34.981Z",
        "dateUpdated": "2026-06-12T15:53:41.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33362 (GCVE-0-2026-33362)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:04 – Updated: 2026-05-11 18:15
    VLAI
    Title
    Meari SDK hardcoded cryptographic keys
    Summary
    In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:15:31.897348Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:15:45.783Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u0026lt;= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u003c= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:04:16.704Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari SDK hardcoded cryptographic keys",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33362",
        "datePublished": "2026-05-11T16:04:16.704Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:15:45.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33361 (GCVE-0-2026-33361)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:17
    VLAI
    Title
    Meari weak XOR obfuscation
    Summary
    In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-326 - Inadequate Encryption Strength
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:34.883672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:17:43.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u0026lt;= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-326",
                  "description": "CWE-326 Inadequate Encryption Strength",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:55.746Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari weak XOR obfuscation",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33361",
        "datePublished": "2026-05-11T16:03:55.746Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:17:43.933Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33359 (GCVE-0-2026-33359)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:18 Exclusively Hosted Service
    VLAI
    Title
    Meari unauthenticated alert image access in cloud object storage
    Summary
    In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari Alibaba OSS Hosted Affected: April, 2026 (date)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:55.620113Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:06.184Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Alibaba OSS Hosted",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "April, 2026",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:21.535Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "Meari unauthenticated alert image access in cloud object storage",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33359",
        "datePublished": "2026-05-11T16:03:21.535Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:18:06.184Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33357 (GCVE-0-2026-33357)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari OpenAPI device status IDOR
    Summary
    In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33357",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:17.383807Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:25.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u0026lt;= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
                }
              ],
              "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u003c= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:40.597Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari OpenAPI device status IDOR",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33357",
        "datePublished": "2026-05-11T16:02:40.597Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:25.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33356 (GCVE-0-2026-33356)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari MQTT broker missing per-device subscribe ACL
    Summary
    In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari IoT Cloud MQTT Broker EMQX Affected: 4.x (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33356",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:36.704517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:45.410Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IoT Cloud MQTT Broker EMQX",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
                }
              ],
              "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:14.046Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari MQTT broker missing per-device subscribe ACL",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33356",
        "datePublished": "2026-05-11T16:02:14.046Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:45.410Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7778 (GCVE-0-2026-7778)

    Vulnerability from cvelistv5 – Published: 2026-05-05 13:44 – Updated: 2026-05-05 14:41
    VLAI
    Title
    runZero Platform dashboard configuration exposure
    Summary
    An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.260416.0 (semver)
    Create a notification for this product.
    Date Public
    2026-05-05 13:00
    Credits
    runZero Tod Beardsley of runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7778",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T14:41:44.344687Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T14:41:52.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260416.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero"
            }
          ],
          "datePublic": "2026-05-05T13:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform."
                }
              ],
              "value": "An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CNA",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T13:44:38.938Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402604160"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform dashboard configuration exposure",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-7778",
        "datePublished": "2026-05-05T13:44:38.938Z",
        "dateReserved": "2026-05-04T15:23:54.909Z",
        "dateUpdated": "2026-05-05T14:41:52.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5384 (GCVE-0-2026-5384)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 19:59
    VLAI
    Title
    runZero Platform incorrect credential scope
    Summary
    An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.26021.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5384",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T19:54:15.338081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T19:59:57.769Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.26021.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform.\u003cbr\u003e"
                }
              ],
              "value": "An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:12:42.547Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602100"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-cve-2026-5384/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.26021.0 of the runZero Platform"
                }
              ],
              "value": "This issue was fixed in version 4.0.26021.0 of the runZero Platform"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform incorrect credential scope",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5384",
        "datePublished": "2026-04-07T14:12:42.547Z",
        "dateReserved": "2026-04-01T20:20:42.640Z",
        "dateUpdated": "2026-04-07T19:59:57.769Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5383 (GCVE-0-2026-5383)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 20:00
    VLAI
    Title
    runZero Explorer missing authorization check
    Summary
    An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Explorer Affected: 0 , < 4.0.260208.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5383",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T19:53:40.801500Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T20:00:12.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Explorer",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260208.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.\u003cbr\u003e"
                }
              ],
              "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:12:32.422Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602080"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-explorer-cve-2026-5383/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer"
                }
              ],
              "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Explorer missing authorization check",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5383",
        "datePublished": "2026-04-07T14:12:32.422Z",
        "dateReserved": "2026-04-01T20:20:41.608Z",
        "dateUpdated": "2026-04-07T20:00:12.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5382 (GCVE-0-2026-5382)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:38
    VLAI
    Title
    runZero Platform MCP endpoint information leak
    Summary
    An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.260206.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5382",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:27:23.682839Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:38:38.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260206.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of \u003cbr\u003eCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.\u003cbr\u003e"
                }
              ],
              "value": "An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of \nCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:12:23.331Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602060"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-mcp-infoleak-cve-2026-5382/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.260206.0 of the runZero Platform"
                }
              ],
              "value": "This issue was fixed in version 4.0.260206.0 of the runZero Platform"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform MCP endpoint information leak",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5382",
        "datePublished": "2026-04-07T14:12:23.331Z",
        "dateReserved": "2026-04-01T20:20:40.699Z",
        "dateUpdated": "2026-04-07T15:38:38.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5381 (GCVE-0-2026-5381)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:02
    VLAI
    Title
    runZero Platform task information leak
    Summary
    An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.260205.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5381",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:02:22.776468Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:02:37.040Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260205.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.\u003cbr\u003e"
                }
              ],
              "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.2,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:12:15.851Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602050"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-task-infoleak-cve-2026-5381/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform"
                }
              ],
              "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform task information leak",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5381",
        "datePublished": "2026-04-07T14:12:15.851Z",
        "dateReserved": "2026-04-01T20:20:39.700Z",
        "dateUpdated": "2026-04-07T15:02:37.040Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5380 (GCVE-0-2026-5380)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:03
    VLAI
    Title
    runZero Platform cleartext secret exposure
    Summary
    An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.260204.2 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5380",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:03:36.808071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:03:47.654Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260204.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of\u003cbr\u003eCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.\u003cbr\u003e"
                }
              ],
              "value": "An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of\nCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:12:05.649Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602042"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-cleartext-exposure-cve-2026-5380/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.260204.2 of the runZero Platform"
                }
              ],
              "value": "This issue was fixed in version 4.0.260204.2 of the runZero Platform"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform cleartext secret exposure",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5380",
        "datePublished": "2026-04-07T14:12:05.649Z",
        "dateReserved": "2026-04-01T20:20:38.604Z",
        "dateUpdated": "2026-04-07T15:03:47.654Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5379 (GCVE-0-2026-5379)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:11 – Updated: 2026-04-07 15:04
    VLAI
    Title
    runZero Platform MCP certification information leak
    Summary
    An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    runZero Platform Affected: 0 , < 4.0.260203.0 (semver)
    Create a notification for this product.
    Date Public
    2026-04-07 14:00
    Credits
    runZero
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T15:04:20.870499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T15:04:56.157Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Platform",
              "vendor": "runZero",
              "versions": [
                {
                  "lessThan": "4.0.260203.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "runZero"
            }
          ],
          "datePublic": "2026-04-07T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.\u003cbr\u003e"
                }
              ],
              "value": "An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:11:53.619Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://help.runzero.com/docs/release-notes/#402602030"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.runzero.com/advisories/runzero-platform-mcp-cert-infoleak-cve-2026-5379/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This issue was fixed in version 4.0.260203.0 of the runZero Platform"
                }
              ],
              "value": "This issue was fixed in version 4.0.260203.0 of the runZero Platform"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "runZero Platform MCP certification information leak",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-5379",
        "datePublished": "2026-04-07T14:11:53.619Z",
        "dateReserved": "2026-04-01T20:13:08.079Z",
        "dateUpdated": "2026-04-07T15:04:56.157Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }