216.73.217.22

CVE-2026-26368

· Published 15/02/2026 16:15 · Modified 15/02/2026 16:15

Labels: CVE-2026-26368 2026-02-15CVE-2026-26368CWE-862[email protected]

Essential information

Published
15/02/2026 16:15
Modified
15/02/2026 16:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
enet / smart home cpe:2.3:a:enet:smart_home:2.2.1:*:*:*:*:*:*:*
enet / smart home cpe:2.3:a:enet:smart_home:2.3.1:*:*:*:*:*:*:*

References