SCA-2026-0002
Vulnerability from csaf_sick - Published: 2026-01-15 14:00 - Updated: 2026-01-15 14:00Summary
Vulnerabilities affecting SICK Incoming Goods Suite
Notes
summary
SICK has identified multiple vulnerabilities in the SICK Incoming Goods Suite product. Vulnerabilities related to Grafana apply exclusively to the administrative user interface for log management and do not affect the Incoming Goods Suite user interface. The vulnerabilities could potentially affect the confidentiality, integrity an availability of the product. Therefore it is strongly recommended to apply general security practices when operating the product.
General Security Measures
As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.
Vulnerability Classification
SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "SICK has identified multiple vulnerabilities in the SICK Incoming Goods Suite product. Vulnerabilities related to Grafana apply exclusively to the administrative user interface for log management and do not affect the Incoming Goods Suite user interface. The vulnerabilities could potentially affect the confidentiality, integrity an availability of the product. Therefore it is strongly recommended to apply general security practices when operating the product.",
"title": "summary"
},
{
"category": "general",
"text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
"title": "General Security Measures"
},
{
"category": "general",
"text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
"title": "Vulnerability Classification"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@sick.de",
"issuing_authority": "SICK AG issues and issues in EHS products (when related to the Endress+Hauser SICK (EHS) joint venture).",
"name": "SICK PSIRT",
"namespace": "https://www.sick.com/psirt"
},
"references": [
{
"summary": "SICK PSIRT Security Advisories",
"url": "https://sick.com/psirt"
},
{
"summary": "SICK Operating Guidelines",
"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
},
{
"summary": "ICS-CERT recommended practices on Industrial Security",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"summary": "CVSS v3.1 Calculator",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"category": "self",
"summary": "The canonical URL.",
"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json"
}
],
"title": "Vulnerabilities affecting SICK Incoming Goods Suite",
"tracking": {
"current_release_date": "2026-01-15T14:00:00.000Z",
"generator": {
"date": "2026-01-15T10:16:13.558Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.42"
}
},
"id": "SCA-2026-0002",
"initial_release_date": "2026-01-15T14:00:00.000Z",
"revision_history": [
{
"date": "2026-01-15T14:00:00.000Z",
"number": "1",
"summary": "Initial version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK Incoming Goods Suite all versions",
"product_id": "CSAFPID-0001",
"product_identification_helper": {
"skus": [
"1139622"
]
}
}
}
],
"category": "product_name",
"name": "Incoming Goods Suite"
}
],
"category": "product_family",
"name": "Incoming Goods Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "SICK Incoming Goods Suite Firmware all versions",
"product_id": "CSAFPID-0002"
}
},
{
"category": "product_version_range",
"name": "\u003c1.2.1",
"product": {
"name": "SICK Incoming Goods Suite Firmware \u003c1.2.1",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version",
"name": "1.2.1",
"product": {
"name": "SICK Incoming Goods Suite Firmware 1.2.1",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "Incoming Goods Suite Firmware"
}
],
"category": "vendor",
"name": "SICK AG"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "SICK Incoming Goods Suite all Firmware versions",
"product_id": "CSAFPID-0005"
},
"product_reference": "CSAFPID-0002",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK Incoming Goods Suite with Firmware \u003c1.2.1",
"product_id": "CSAFPID-0006"
},
"product_reference": "CSAFPID-0003",
"relates_to_product_reference": "CSAFPID-0001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "SICK Incoming Goods Suite with Firmware 1.2.1",
"product_id": "CSAFPID-0007"
},
"product_reference": "CSAFPID-0004",
"relates_to_product_reference": "CSAFPID-0001"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-0712",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.6,
"environmentalSeverity": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.6,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-0712"
},
{
"cve": "CVE-2026-0713",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "summary",
"text": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-0713"
},
{
"cve": "CVE-2026-22637",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.8,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22637"
},
{
"cve": "CVE-2026-22638",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22638"
},
{
"cve": "CVE-2026-22639",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22639"
},
{
"cve": "CVE-2026-22640",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22640"
},
{
"cve": "CVE-2026-22641",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "summary",
"text": "This vulnerability in Grafana\u0027s datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22641"
},
{
"cve": "CVE-2026-22642",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 4.2,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 4.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22642"
},
{
"cve": "CVE-2026-22643",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).\n\n",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22643"
},
{
"cve": "CVE-2026-22644",
"cwe": {
"id": "CWE-598",
"name": "Use of GET Request Method With Sensitive Query Strings"
},
"notes": [
{
"category": "summary",
"text": "Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user\u0027s session and gain unauthorized access.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Please make sure that logs exclude informative level and are stored in a secure way.\nFor more information please follow the official Microsoft Security Considerations document for .NET:\nhttps://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-9.0#access-token-logging\nPlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated\nsecurity risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
"product_ids": [
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0005"
]
}
],
"title": "CVE-2026-22644"
},
{
"cve": "CVE-2026-22645",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22645"
},
{
"cve": "CVE-2026-22646",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application\u0027s internal structure and discover other, more critical vulnerabilities.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-0007"
],
"known_affected": [
"CSAFPID-0006"
],
"recommended": [
"CSAFPID-0007"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Users are strongly recommended to upgrade to the latest release of Incoming Goods Suite (\u003e= 1.2.1).",
"product_ids": [
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0006"
]
}
],
"title": "CVE-2026-22646"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…