CVE-2026-2752
Summary
| CVE | CVE-2026-2752 |
|---|---|
| State | PUBLISHED |
| Assigner | MHV |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-06 15:16:10 UTC |
| Updated | 2026-06-15 17:15:18 UTC |
| Description | Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from 56a186b1-7f5e-4314-ba38-38d5499fccfd
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS: 0.002610000 probability, percentile 0.172030000 (date 2026-06-21)
Problem Types: CWE-209 | CWE-209 CWE-209 Generation of Error Message Containing Sensitive Information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 56a186b1-7f5e-4314-ba38-38d5499fccfd | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | CNA | CVSS | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Navtor | Navbox | - | All | All | All |
| Operating System | Navtor | Navbox Firmware | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cydome.io/vulnerability-advisory-cve-2026-2752-in-navtor-navbox-version... | 56a186b1-7f5e-4314-ba38-38d5499fccfd | cydome.io | Third Party Advisory |
| www.navtor.com/navtor-vendor-statement | 56a186b1-7f5e-4314-ba38-38d5499fccfd | www.navtor.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Cydome Security Ltd (en)
There are currently no legacy QID mappings associated with this CVE.