216.73.217.22

CVE-2026-9508

· Published 29/05/2026 13:16 · Modified 29/05/2026 15:39

Labels: CVE-2026-9508 2026-05-29CVE-2026-9508CWE-732[email protected]

Essential information

Published
29/05/2026 13:16
Modified
29/05/2026 15:39
Author
Creator
CVSS
10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
suprema / biostar cpe:2.3:a:suprema:biostar:2.9.3-2.9.11:*:*:*:*:*:*:*

References