CVE-2026-26049

{"id": "CVE-2026-26049", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "ics-cert@hq.dhs.gov"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2026-02-20T17:25:53.623", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching."}, {"lang": "es", "value": "La interfaz de gesti\u00f3n web del dispositivo muestra las contrase\u00f1as en un campo de entrada de texto sin formato. La contrase\u00f1a actual es directamente visible para cualquiera con acceso a la UI, lo que podr\u00eda exponer las credenciales de administrador a una observaci\u00f3n no autorizada mediante 'shoulder surfing', capturas de pantalla o el almacenamiento en cach\u00e9 del formulario del navegador."}], "lastModified": "2026-02-20T18:57:15.973", "sourceIdentifier": "ics-cert@hq.dhs.gov"}