216.73.216.6

CVE-2026-12183

· Published 13/06/2026 20:16 · Modified 13/06/2026 18:16 · Author: The MITRE Corporation

Labels: CVE-2026-12183 2026-06-13309f9ea4-e3e9-4c6c-b79d-e8eb01244f2cCVE-2026-12183CWE-287

Essential information

Published
13/06/2026 20:16
Modified
13/06/2026 18:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.8 CRITICAL (v3.1) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CWE-287
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
NVD
View on NVD

Affected products (CPE)

ProductCPE
nefteprodukttekhnika / buk ts-g cpe:2.3:a:nefteprodukttekhnika:buk_ts-g:2.9.1-2.10.2:*:*:*:*:*:*:*

References