CVE-2026-31849 PUBLISHED

Missing CSRF protection on state-changing endpoints in Nexxt Nebula 300+

Assigner: TuranSec
Reserved: 09.03.2026 Published: 23.03.2026 Updated: 23.03.2026

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing administrative endpoints. A remote attacker can induce an authenticated administrator to submit crafted requests that modify device settings, including security-relevant configuration, without the administrator's intent.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.2

Product Status

Vendor Nexxt Solutions
Product Nebula 300+
Versions Default: unaffected
  • Version <= 12.01.01.37 is affected

Credits

  • Angel Barre (call4pwn) finder

References

Problem Types

  • CWE-352 Cross-Site Request Forgery (CSRF) CWE

Impacts

  • A remote attacker can cause an authenticated administrator's browser to send forged state-changing requests, resulting in unauthorized configuration changes.