Search
Find a vulnerability
Search criteria
36 vulnerabilities
CVE-2026-6688 (GCVE-0-2026-6688)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:01 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Buffer Overflow via Unbounded LFN Filename Copy
Summary
FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-long-fn-… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6688",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:55.618764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:59.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:01:44.487Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-long-fn-of-downstream-cve-2026-6688/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Buffer Overflow via Unbounded LFN Filename Copy",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6688",
"datePublished": "2026-07-01T14:01:04.915Z",
"dateReserved": "2026-04-20T15:06:24.308Z",
"dateUpdated": "2026-07-01T15:06:59.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6687 (GCVE-0-2026-6687)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:57 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Stack Buffer Overflow via Uncapped exFAT Label Length
Summary
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-la… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:20.995228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:24.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:29.724Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-label-len-of-cve-2026-6687/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Stack Buffer Overflow via Uncapped exFAT Label Length",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6687",
"datePublished": "2026-07-01T13:57:54.242Z",
"dateReserved": "2026-04-20T15:06:23.356Z",
"dateUpdated": "2026-07-01T15:06:24.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6686 (GCVE-0-2026-6686)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:55 – Updated: 2026-07-01 15:05
VLAI
Title
FatFs Use of Uninitialized Clusters After Seek Past EOF
Summary
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-908 - Use of uninitialized resource
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-uninit-c… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:05:23.138301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:05:27.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of uninitialized resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:55:09.072Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Use of Uninitialized Clusters After Seek Past EOF",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6686",
"datePublished": "2026-07-01T13:55:09.072Z",
"dateReserved": "2026-04-20T15:06:22.242Z",
"dateUpdated": "2026-07-01T15:05:27.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6685 (GCVE-0-2026-6685)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:47 – Updated: 2026-07-01 15:26
VLAI
Title
FatFs Integer Underflow in Dirty-Sector Cache Flush
Summary
FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer underflow (wrap or wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-unsigned… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:17.001634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:26:37.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u0026gt;sect - sect \u0026lt; cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u003esect - sect \u003c cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer underflow (wrap or wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:51.392Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-unsigned-sub-wrap-cve-2026-6685/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Underflow in Dirty-Sector Cache Flush",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6685",
"datePublished": "2026-07-01T13:47:25.764Z",
"dateReserved": "2026-04-20T15:06:21.250Z",
"dateUpdated": "2026-07-01T15:26:37.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6684 (GCVE-0-2026-6684)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:25
VLAI
Title
FatFs Infinite Loop in GPT Partition Scan
Summary
FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with unreachable exit condition ('infinite loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-gpt-scan… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6684",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:25:35.369745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:25:53.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThan": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:58.544Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Infinite Loop in GPT Partition Scan",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6684",
"datePublished": "2026-07-01T13:45:03.639Z",
"dateReserved": "2026-04-20T15:06:20.061Z",
"dateUpdated": "2026-07-01T15:25:53.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6683 (GCVE-0-2026-6683)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:41 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Divide-by-Zero in exFAT Sync
Summary
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-369 - Divide by zero
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-di… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:24:38.147110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:56.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide by zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:06.688Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-divide-by-zero-cve-2026-6683"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Divide-by-Zero in exFAT Sync",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6683",
"datePublished": "2026-07-01T13:41:11.337Z",
"dateReserved": "2026-04-20T15:06:19.048Z",
"dateUpdated": "2026-07-01T15:24:56.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6682 (GCVE-0-2026-6682)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:36 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Integer Overflow in FAT32 Volume Mount
Summary
In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer overflow or wraparound
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-fat32-in… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:23:46.354718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:05.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u0026gt;n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u003en_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer overflow or wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:14.785Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Overflow in FAT32 Volume Mount",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6682",
"datePublished": "2026-07-01T13:36:59.935Z",
"dateReserved": "2026-04-20T15:06:18.243Z",
"dateUpdated": "2026-07-01T15:24:05.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10303 (GCVE-0-2026-10303)
Vulnerability from cvelistv5 – Published: 2026-06-16 18:24 – Updated: 2026-06-17 15:18
VLAI
Title
ServerCo getssl ACME shell script path injection
Summary
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External control of file name or path
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/srvrco/getssl/pull/896 | mitigation |
| https://remyhax.xyz/posts/reproducing-lawful-tls-… | related |
| https://www.cve.org/CVERecord?id=CVE-2023-38198 | related |
| https://www.runzero.com/advisories/serverco-getss… | third-party-advisory |
| https://github.com/srvrco/getssl/releases/tag/v2.50 | release-notes |
Date Public
2026-06-16 18:20
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:17:32.277126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:18:11.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "getssl",
"repo": "https://github.com/srvrco/getssl",
"vendor": "ServerCo",
"versions": [
{
"lessThanOrEqual": "2.49",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "remy"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero"
}
],
"datePublic": "2026-06-16T18:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
}
],
"value": "In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, \"External control of file name or path.\" Other ACME shell script handlers may be affected by similar issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External control of file name or path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T18:24:43.712Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://github.com/srvrco/getssl/pull/896"
},
{
"tags": [
"related"
],
"url": "https://remyhax.xyz/posts/reproducing-lawful-tls-wiretapping/"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38198"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/serverco-getssl-acme-cmd-injection-cve-2026-10303/"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/srvrco/getssl/releases/tag/v2.50"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ServerCo getssl ACME shell script path injection",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-10303",
"datePublished": "2026-06-16T18:24:43.712Z",
"dateReserved": "2026-05-31T21:05:04.476Z",
"dateUpdated": "2026-06-17T15:18:11.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50091 (GCVE-0-2026-50091)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 16:22
VLAI
Title
Aqara Home Android SDK hardcoded keys
Summary
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-hardcode… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | com.lumiunited.aqarahome |
Affected:
6.0.0 , < 0
(semver)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50091",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T16:22:49.247673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T16:22:58.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "com.lumiunited.aqarahome",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of \"CWE-321: Use of Hard-coded Cryptographic Key\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical)."
}
],
"value": "Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of \"CWE-321: Use of Hard-coded Cryptographic Key\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of hard-coded cryptographic key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:02:24.208Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-hardcoded-sdk-keys-cve-2026-50091"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara Home Android SDK hardcoded keys",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50091",
"datePublished": "2026-06-12T15:02:24.208Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T16:22:58.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50090 (GCVE-0-2026-50090)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 15:49
VLAI
Title
Aqara OAuth redirect_uri validation bypass
Summary
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper validation of unsafe equivalence in input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-oauth-re… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Cloud OAuth Authorization Endpoint |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50090",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:49:22.517830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:43.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud OAuth Authorization Endpoint",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
}
],
"value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper validation of unsafe equivalence in input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:02:13.840Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara OAuth redirect_uri validation bypass",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50090",
"datePublished": "2026-06-12T15:02:13.840Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:49:43.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50089 (GCVE-0-2026-50089)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 15:50
VLAI
Title
Aqara IAM/SSO Gateway open redirect
Summary
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-sso-open… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Aqara IAM/SSO Gateway |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50089",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:50:04.675728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:50:31.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aqara IAM/SSO Gateway",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of \"CWE-601: URL Redirection to Untrusted Site,\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.\u003cbr\u003e"
}
],
"value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of \"CWE-601: URL Redirection to Untrusted Site,\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:02:02.056Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-sso-open-redirect-cve-2026-50089"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara IAM/SSO Gateway open redirect",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50089",
"datePublished": "2026-06-12T15:02:02.056Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:50:31.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50088 (GCVE-0-2026-50088)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:51
VLAI
Title
Aqara Developer Portal cross-origin resource sharing
Summary
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-942 - Permissive cross-domain security policy with untrusted domains
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-dev-port… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Aqara Developer Portal |
Affected:
2026-04-20 , < 0
(date)
|
|
| Aqara | Aqara Developer Test Portal |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50088",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:51:00.517874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:51:21.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aqara Developer Portal",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Aqara Developer Test Portal",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
}
],
"value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:01:49.680Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara Developer Portal cross-origin resource sharing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50088",
"datePublished": "2026-06-12T15:01:49.680Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:51:21.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50087 (GCVE-0-2026-50087)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:52
VLAI
Title
Aqara IAM/SSO Gateway cross-origin resource sharing
Summary
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-942 - Permissive cross-domain security policy with untrusted domains
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-iam-sso-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Aqara IAM/SSO Gateway |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:51:57.814157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:52:19.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aqara IAM/SSO Gateway",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
}
],
"value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:01:37.508Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-iam-sso-cors-cve-2026-50087"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara IAM/SSO Gateway cross-origin resource sharing",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50087",
"datePublished": "2026-06-12T15:01:37.508Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:52:19.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50086 (GCVE-0-2026-50086)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:48
VLAI
Title
Aqara unauthenticated AES oracle
Summary
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-unauth-a… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Aqara IAM/SSO Gateway |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50086",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:48:33.784868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:48:59.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aqara IAM/SSO Gateway",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform\u0027s signing key without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)."
}
],
"value": "The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform\u0027s signing key without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and \"CWE-327: Use of a Broken or Risky Cryptographic Algorithm,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:01:26.055Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-unauth-aes-oracle-cve-2026-50086"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara unauthenticated AES oracle",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50086",
"datePublished": "2026-06-12T15:01:26.055Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:48:59.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50085 (GCVE-0-2026-50085)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:54
VLAI
Title
Aqara Board IoT insecure debug API
Summary
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity
8.6 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-board-io… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Board service |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50085",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:54:13.689198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:54:34.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Board service",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom\u0027s HiveMQ broker without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"value": "The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom\u0027s HiveMQ broker without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:01:13.523Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara Board IoT insecure debug API",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50085",
"datePublished": "2026-06-12T15:01:13.523Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:54:34.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50084 (GCVE-0-2026-50084)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:01 – Updated: 2026-06-12 15:55
VLAI
Title
Aqara API cross-account access
Summary
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-api-acce… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Cloud Production API |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:55:07.354028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:55:29.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud Production API",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of \"CWE-862: Missing Authorization\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"value": "The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of \"CWE-862: Missing Authorization\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:01:00.952Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-api-access-cve-2026-50084"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara API cross-account access",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50084",
"datePublished": "2026-06-12T15:01:00.952Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:55:29.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50083 (GCVE-0-2026-50083)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:00 – Updated: 2026-06-12 15:56
VLAI
Title
Aqara hardcoded OAuth client credentials
Summary
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-hardcode… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Aquara IAM/SSO Gateway |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50083",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:55:58.127070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:56:21.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aquara IAM/SSO Gateway",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara IAM/SSO Gateway (\u003ccode\u003egw-builder.aqara.com\u003c/code\u003e) used a hardcoded OAuth client credential, which is an instance of\u0026nbsp;\u003cstrong\u003e\"\u003c/strong\u003eCWE-798: Use of Hard-coded Credentials.\" This issue has an estimated CVSS of\u0026nbsp;\u003ccode\u003eCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\u003c/code\u003e\u0026nbsp;(9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"value": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of\u00a0\"CWE-798: Use of Hard-coded Credentials.\" This issue has an estimated CVSS of\u00a0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\u00a0(9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:00:49.311Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara hardcoded OAuth client credentials",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50083",
"datePublished": "2026-06-12T15:00:49.311Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:56:21.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50082 (GCVE-0-2026-50082)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:00 – Updated: 2026-06-12 15:53
VLAI
Title
Aqara Developer Portal insecure authentication token
Summary
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-dev-port… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Cloud Developer Portal |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50082",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:53:19.154380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:53:41.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud Developer Portal",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices."
}
],
"value": "The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:00:31.845Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-dev-portal-auth-token-2026-50082"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara Developer Portal insecure authentication token",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50082",
"datePublished": "2026-06-12T15:00:31.845Z",
"dateReserved": "2026-06-03T14:25:34.981Z",
"dateUpdated": "2026-06-12T15:53:41.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33362 (GCVE-0-2026-33362)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:04 – Updated: 2026-05-11 18:15
VLAI
Title
Meari SDK hardcoded cryptographic keys
Summary
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/nobody-puts-baby-in-a-corner | technical-description |
| https://www.runzero.com/advisories/meari-sdk-hard… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meari | com.meari.sdk |
Affected:
firmID=8
(custom)
|
Date Public
2026-05-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33362",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:15:31.897348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:15:45.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "com.meari.sdk",
"vendor": "Meari",
"versions": [
{
"status": "affected",
"version": "firmID=8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-05-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u0026lt;= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.\u003cbr\u003e"
}
],
"value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u003c= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:04:16.704Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Meari SDK hardcoded cryptographic keys",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-33362",
"datePublished": "2026-05-11T16:04:16.704Z",
"dateReserved": "2026-03-19T00:27:05.987Z",
"dateUpdated": "2026-05-11T18:15:45.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33361 (GCVE-0-2026-33361)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:17
VLAI
Title
Meari weak XOR obfuscation
Summary
In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/nobody-puts-baby-in-a-corner | technical-description |
| https://www.runzero.com/advisories/meari-weak-xor… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meari | com.meari.sdk |
Affected:
firmID=8
(custom)
|
Date Public
2026-05-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:17:34.883672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:17:43.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "com.meari.sdk",
"vendor": "Meari",
"versions": [
{
"status": "affected",
"version": "firmID=8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-05-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u0026lt;= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.\u003cbr\u003e"
}
],
"value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:03:55.746Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Meari weak XOR obfuscation",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-33361",
"datePublished": "2026-05-11T16:03:55.746Z",
"dateReserved": "2026-03-19T00:27:05.987Z",
"dateUpdated": "2026-05-11T18:17:43.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33359 (GCVE-0-2026-33359)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:18 Exclusively Hosted Service
VLAI
Title
Meari unauthenticated alert image access in cloud object storage
Summary
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/nobody-puts-baby-in-a-corner | technical-description |
| https://www.runzero.com/advisories/meari-unauthen… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meari | Alibaba OSS Hosted |
Affected:
April, 2026
(date)
|
Date Public
2026-05-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:17:55.620113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:18:06.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Alibaba OSS Hosted",
"vendor": "Meari",
"versions": [
{
"status": "affected",
"version": "April, 2026",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-05-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.\u003cbr\u003e"
}
],
"value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:03:21.535Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "Meari unauthenticated alert image access in cloud object storage",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-33359",
"datePublished": "2026-05-11T16:03:21.535Z",
"dateReserved": "2026-03-19T00:27:05.987Z",
"dateUpdated": "2026-05-11T18:18:06.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33357 (GCVE-0-2026-33357)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
VLAI
Title
Meari OpenAPI device status IDOR
Summary
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/nobody-puts-baby-in-a-corner | technical-description |
| https://www.runzero.com/advisories/meari-openapi-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meari | com.meari.sdk |
Affected:
firmID=8
(custom)
|
Date Public
2026-05-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:18:17.383807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:18:25.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "com.meari.sdk",
"vendor": "Meari",
"versions": [
{
"status": "affected",
"version": "firmID=8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-05-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u0026lt;= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
}
],
"value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u003c= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:02:40.597Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Meari OpenAPI device status IDOR",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-33357",
"datePublished": "2026-05-11T16:02:40.597Z",
"dateReserved": "2026-03-19T00:27:05.986Z",
"dateUpdated": "2026-05-11T18:18:25.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33356 (GCVE-0-2026-33356)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
VLAI
Title
Meari MQTT broker missing per-device subscribe ACL
Summary
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/nobody-puts-baby-in-a-corner | technical-description |
| https://www.runzero.com/advisories/meari-mqtt-bro… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meari | IoT Cloud MQTT Broker EMQX |
Affected:
4.x
(custom)
|
Date Public
2026-05-11 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:18:36.704517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:18:45.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IoT Cloud MQTT Broker EMQX",
"vendor": "Meari",
"versions": [
{
"status": "affected",
"version": "4.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-05-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
}
],
"value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:02:14.046Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Meari MQTT broker missing per-device subscribe ACL",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-33356",
"datePublished": "2026-05-11T16:02:14.046Z",
"dateReserved": "2026-03-19T00:27:05.986Z",
"dateUpdated": "2026-05-11T18:18:45.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7778 (GCVE-0-2026-7778)
Vulnerability from cvelistv5 – Published: 2026-05-05 13:44 – Updated: 2026-05-05 14:41
VLAI
Title
runZero Platform dashboard configuration exposure
Summary
An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
| https://help.runzero.com/docs/release-notes/#402604160 | release-notes |
Impacted products
Date Public
2026-05-05 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T14:41:44.344687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T14:41:52.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260416.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero"
}
],
"datePublic": "2026-05-05T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform."
}
],
"value": "An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CNA",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T13:44:38.938Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/"
},
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402604160"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform dashboard configuration exposure",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-7778",
"datePublished": "2026-05-05T13:44:38.938Z",
"dateReserved": "2026-05-04T15:23:54.909Z",
"dateUpdated": "2026-05-05T14:41:52.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5384 (GCVE-0-2026-5384)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 19:59
VLAI
Title
runZero Platform incorrect credential scope
Summary
An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602100 | release-notes |
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T19:54:15.338081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T19:59:57.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.26021.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform.\u003cbr\u003e"
}
],
"value": "An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:12:42.547Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602100"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-cve-2026-5384/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.26021.0 of the runZero Platform"
}
],
"value": "This issue was fixed in version 4.0.26021.0 of the runZero Platform"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform incorrect credential scope",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5384",
"datePublished": "2026-04-07T14:12:42.547Z",
"dateReserved": "2026-04-01T20:20:42.640Z",
"dateUpdated": "2026-04-07T19:59:57.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5383 (GCVE-0-2026-5383)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 20:00
VLAI
Title
runZero Explorer missing authorization check
Summary
An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602080 | release-notes |
| https://www.runzero.com/advisories/runzero-explor… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T19:53:40.801500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T20:00:12.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Explorer",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260208.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.\u003cbr\u003e"
}
],
"value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:12:32.422Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602080"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-explorer-cve-2026-5383/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer"
}
],
"value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Explorer missing authorization check",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5383",
"datePublished": "2026-04-07T14:12:32.422Z",
"dateReserved": "2026-04-01T20:20:41.608Z",
"dateUpdated": "2026-04-07T20:00:12.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5382 (GCVE-0-2026-5382)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:38
VLAI
Title
runZero Platform MCP endpoint information leak
Summary
An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602060 | release-notes |
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:27:23.682839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:38:38.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260206.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of \u003cbr\u003eCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.\u003cbr\u003e"
}
],
"value": "An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of \nCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:12:23.331Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602060"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-mcp-infoleak-cve-2026-5382/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.260206.0 of the runZero Platform"
}
],
"value": "This issue was fixed in version 4.0.260206.0 of the runZero Platform"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform MCP endpoint information leak",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5382",
"datePublished": "2026-04-07T14:12:23.331Z",
"dateReserved": "2026-04-01T20:20:40.699Z",
"dateUpdated": "2026-04-07T15:38:38.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5381 (GCVE-0-2026-5381)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:02
VLAI
Title
runZero Platform task information leak
Summary
An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602050 | release-notes |
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:02:22.776468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:02:37.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260205.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.\u003cbr\u003e"
}
],
"value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:12:15.851Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602050"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-task-infoleak-cve-2026-5381/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform"
}
],
"value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform task information leak",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5381",
"datePublished": "2026-04-07T14:12:15.851Z",
"dateReserved": "2026-04-01T20:20:39.700Z",
"dateUpdated": "2026-04-07T15:02:37.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5380 (GCVE-0-2026-5380)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:12 – Updated: 2026-04-07 15:03
VLAI
Title
runZero Platform cleartext secret exposure
Summary
An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602042 | release-notes |
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:03:36.808071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:03:47.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260204.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of\u003cbr\u003eCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.\u003cbr\u003e"
}
],
"value": "An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of\nCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:12:05.649Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602042"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-cleartext-exposure-cve-2026-5380/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.260204.2 of the runZero Platform"
}
],
"value": "This issue was fixed in version 4.0.260204.2 of the runZero Platform"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform cleartext secret exposure",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5380",
"datePublished": "2026-04-07T14:12:05.649Z",
"dateReserved": "2026-04-01T20:20:38.604Z",
"dateUpdated": "2026-04-07T15:03:47.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5379 (GCVE-0-2026-5379)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:11 – Updated: 2026-04-07 15:04
VLAI
Title
runZero Platform MCP certification information leak
Summary
An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.runzero.com/docs/release-notes/#402602030 | release-notes |
| https://www.runzero.com/advisories/runzero-platfo… | vendor-advisory |
Impacted products
Date Public
2026-04-07 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:04:20.870499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:04:56.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Platform",
"vendor": "runZero",
"versions": [
{
"lessThan": "4.0.260203.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "runZero"
}
],
"datePublic": "2026-04-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.\u003cbr\u003e"
}
],
"value": "An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:11:53.619Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://help.runzero.com/docs/release-notes/#402602030"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.runzero.com/advisories/runzero-platform-mcp-cert-infoleak-cve-2026-5379/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue was fixed in version 4.0.260203.0 of the runZero Platform"
}
],
"value": "This issue was fixed in version 4.0.260203.0 of the runZero Platform"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "runZero Platform MCP certification information leak",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-5379",
"datePublished": "2026-04-07T14:11:53.619Z",
"dateReserved": "2026-04-01T20:13:08.079Z",
"dateUpdated": "2026-04-07T15:04:56.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}