Search criteria
8 vulnerabilities found for Cryptobox by Ercom
CVE-2026-6805 (GCVE-0-2026-6805)
Vulnerability from nvd – Published: 2026-05-07 09:45 – Updated: 2026-05-07 13:39
VLAI
Title
Vulnerability on Cryptobox external sharing feature
Summary
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://info.cryptobox.com/doc/v4.40/4.40.en/ | release-notes |
Impacted products
Date Public
2026-05-07 09:42
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:39:28.055891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:39:33.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Server"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "4.40.183"
},
{
"lessThan": "v4.38.0",
"status": "unaffected",
"version": "4.37.248",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-05-07T09:42:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.\u003cbr\u003e"
}
],
"value": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T09:45:42.841Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vulnerability on Cryptobox external sharing feature",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-6805",
"datePublished": "2026-05-07T09:45:42.841Z",
"dateReserved": "2026-04-21T15:15:08.431Z",
"dateUpdated": "2026-05-07T13:39:33.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5794 (GCVE-0-2026-5794)
Vulnerability from nvd – Published: 2026-04-28 17:09 – Updated: 2026-04-29 14:06
VLAI
Title
Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout
Summary
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-694 - Use of multiple resources with duplicate identifier
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://info.cryptobox.com/doc/v4.40/4.40.en/ | release-notes |
Impacted products
Date Public
2026-04-29 14:04
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T18:33:48.530783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T18:33:57.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Cryptobox server"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "4.40.175"
},
{
"lessThan": "4.38.0",
"status": "unaffected",
"version": "4.37.237",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-29T14:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability affecting the detailed versions of\u0026nbsp;Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."
}
],
"value": "A vulnerability affecting the detailed versions of\u00a0Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."
}
],
"impacts": [
{
"capecId": "CAPEC-2",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-2 Inducing Account Lockout"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-694",
"description": "CWE-694 Use of multiple resources with duplicate identifier",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T14:06:08.155Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-5794",
"datePublished": "2026-04-28T17:09:55.609Z",
"dateReserved": "2026-04-08T13:20:07.168Z",
"dateUpdated": "2026-04-29T14:06:08.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0873 (GCVE-0-2026-0873)
Vulnerability from nvd – Published: 2026-02-04 10:42 – Updated: 2026-02-04 14:56
VLAI
Title
Privilege Elevation in Ercom Cryptobox administration console
Summary
On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Date Public
2026-02-04 10:16
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T14:56:16.541272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T14:56:23.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Administration console"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "v4.40.x"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple entities must be defined with dedicated administrators"
}
],
"value": "Multiple entities must be defined with dedicated administrators"
}
],
"datePublic": "2026-02-04T10:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator."
}
],
"value": "On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233: Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T10:42:14.626Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 4.40.x."
}
],
"value": "Upgrade to version 4.40.x."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Privilege Elevation in Ercom Cryptobox administration console",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-0873",
"datePublished": "2026-02-04T10:42:14.626Z",
"dateReserved": "2026-01-13T09:32:07.338Z",
"dateUpdated": "2026-02-04T14:56:23.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14266 (GCVE-0-2025-14266)
Vulnerability from nvd – Published: 2025-12-17 13:38 – Updated: 2025-12-17 14:18
VLAI
Title
CSRF in Ercom Cryptobox administration console
Summary
CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T14:16:53.526332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T14:18:16.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Administration console"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"lessThan": "4.37.229",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.39.200",
"status": "affected",
"version": "4.38.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.37.229",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.39.200",
"versionStartIncluding": "4.38.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."
}
],
"value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T13:51:28.479Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"url": "https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CSRF in Ercom Cryptobox administration console",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2025-14266",
"datePublished": "2025-12-17T13:38:22.069Z",
"dateReserved": "2025-12-08T13:02:54.031Z",
"dateUpdated": "2025-12-17T14:18:16.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6805 (GCVE-0-2026-6805)
Vulnerability from cvelistv5 – Published: 2026-05-07 09:45 – Updated: 2026-05-07 13:39
VLAI
Title
Vulnerability on Cryptobox external sharing feature
Summary
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-280 - Improper handling of insufficient permissions or privileges
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://info.cryptobox.com/doc/v4.40/4.40.en/ | release-notes |
Impacted products
Date Public
2026-05-07 09:42
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:39:28.055891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:39:33.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Server"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "4.40.183"
},
{
"lessThan": "v4.38.0",
"status": "unaffected",
"version": "4.37.248",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-05-07T09:42:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.\u003cbr\u003e"
}
],
"value": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper handling of insufficient permissions or privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T09:45:42.841Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vulnerability on Cryptobox external sharing feature",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-6805",
"datePublished": "2026-05-07T09:45:42.841Z",
"dateReserved": "2026-04-21T15:15:08.431Z",
"dateUpdated": "2026-05-07T13:39:33.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5794 (GCVE-0-2026-5794)
Vulnerability from cvelistv5 – Published: 2026-04-28 17:09 – Updated: 2026-04-29 14:06
VLAI
Title
Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout
Summary
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-694 - Use of multiple resources with duplicate identifier
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://info.cryptobox.com/doc/v4.40/4.40.en/ | release-notes |
Impacted products
Date Public
2026-04-29 14:04
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T18:33:48.530783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T18:33:57.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Cryptobox server"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "4.40.175"
},
{
"lessThan": "4.38.0",
"status": "unaffected",
"version": "4.37.237",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-29T14:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability affecting the detailed versions of\u0026nbsp;Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."
}
],
"value": "A vulnerability affecting the detailed versions of\u00a0Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."
}
],
"impacts": [
{
"capecId": "CAPEC-2",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-2 Inducing Account Lockout"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-694",
"description": "CWE-694 Use of multiple resources with duplicate identifier",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T14:06:08.155Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-5794",
"datePublished": "2026-04-28T17:09:55.609Z",
"dateReserved": "2026-04-08T13:20:07.168Z",
"dateUpdated": "2026-04-29T14:06:08.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0873 (GCVE-0-2026-0873)
Vulnerability from cvelistv5 – Published: 2026-02-04 10:42 – Updated: 2026-02-04 14:56
VLAI
Title
Privilege Elevation in Ercom Cryptobox administration console
Summary
On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Date Public
2026-02-04 10:16
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T14:56:16.541272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T14:56:23.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Administration console"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"status": "unaffected",
"version": "v4.40.x"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple entities must be defined with dedicated administrators"
}
],
"value": "Multiple entities must be defined with dedicated administrators"
}
],
"datePublic": "2026-02-04T10:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator."
}
],
"value": "On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233: Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T10:42:14.626Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 4.40.x."
}
],
"value": "Upgrade to version 4.40.x."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Privilege Elevation in Ercom Cryptobox administration console",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2026-0873",
"datePublished": "2026-02-04T10:42:14.626Z",
"dateReserved": "2026-01-13T09:32:07.338Z",
"dateUpdated": "2026-02-04T14:56:23.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14266 (GCVE-0-2025-14266)
Vulnerability from cvelistv5 – Published: 2025-12-17 13:38 – Updated: 2025-12-17 14:18
VLAI
Title
CSRF in Ercom Cryptobox administration console
Summary
CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T14:16:53.526332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T14:18:16.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Administration console"
],
"product": "Cryptobox",
"vendor": "Ercom",
"versions": [
{
"lessThan": "4.37.229",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.39.200",
"status": "affected",
"version": "4.38.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.37.229",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.39.200",
"versionStartIncluding": "4.38.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."
}
],
"value": "CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0.6,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T13:51:28.479Z",
"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"shortName": "THA-PSIRT"
},
"references": [
{
"url": "https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CSRF in Ercom Cryptobox administration console",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395",
"assignerShortName": "THA-PSIRT",
"cveId": "CVE-2025-14266",
"datePublished": "2025-12-17T13:38:22.069Z",
"dateReserved": "2025-12-08T13:02:54.031Z",
"dateUpdated": "2025-12-17T14:18:16.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}