CVE-2026-31846 PUBLISHED

Assigner: TuranSec
Reserved: 09.03.2026 Published: 23.03.2026 Updated: 23.03.2026

An unauthenticated credential disclosure vulnerability in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware through Nebula300+_v12.01.01.37 allows an adjacent attacker to obtain the administrator password in Base64-encoded form via a crafted HTTP request. The recovered credential can be used to authenticate to the device and facilitates further compromise when combined with other weaknesses present in the firmware.

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

CVSS Vector: AV:A/AC:L/Au:N/C:C/I:N/A:N
CVSS Score: 6.1

Access Vector	Adjacent Network	Confidentiality Impact	Complete
Access Complexity	Low	Integrity Impact	None
Authentication	None	Availability Impact	None

CVSS 2.0

Product Status

Vendor	Nexxt Solutions
Product	Nebula 300+ / Tenda F3 V2.0 Firmware
Versions	Default: affected Version <= 12.01.01.37 is affected

Credits

Angel Barre (call4pwn) finder

References

Problem Types

CWE-306 Missing Authentication for Critical Function CWE

Impacts

Unauthenticated attackers can retrieve administrative credentials, leading to full compromise when combined with other vulnerabilities.