CVE-2026-4682 PUBLISHED

Certain HP DeskJet All In One (AIO) Devices – Potential Remote Code Execution & Potential Buffer Overflow

Assigner: hp
Reserved: 23.03.2026 Published: 15.04.2026 Updated: 15.04.2026

Certain HP DeskJet All in One devices may be vulnerable to remote code execution caused by a buffer overflow when specially crafted Web Services for Devices (WSD) scan requests are improperly validated and handled by the MFP.

WSD Scan is a Microsoft Windows–based network scanning protocol that allows a PC to discover scanners (and MFPs) on a network and send scan jobs to them without requiring vendor specific drivers or utilities.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	HP Inc
Product	HP DeskJet 2800e All-in-One Printer series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

Vendor	HP Inc
Product	HP DeskJet 4200 All-in-One Printer series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

Vendor	HP Inc
Product	HP DeskJet Ink Advantage 4200 All-in-One Printer series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

Vendor	HP Inc
Product	HP DeskJet 4200e All-in-One Printer series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

Vendor	HP Inc
Product	HP DeskJet Ink Advantage Ultra 4900 series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

Vendor	HP Inc
Product	HP DeskJet Ink Advantage 2800 All-in-One Printer series
Versions	Default: unaffected affected from 0 to <2612A (excl.)

References

https://support.hp.com/us-en/document/ish_14744451-14744475-16

Problem Types

CWE-121 Stack-based buffer overflow CWE