CVE-2026-8142 PUBLISHED

CVE-2026-8142

Assigner: certcc
Reserved: 07.05.2026 Published: 07.05.2026 Updated: 07.05.2026

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.

Product Status

Vendor	CERT/CC
Product	VINCE
Versions	affected from 0 to 3.0.38 (incl.)

Credits

Thanks to Guillem Lefait guillem@datamq.com for reporting the issue finder

References

https://kb.cert.org/vince
https://github.com/CERTCC/VINCE

Problem Types

CWE-345: Insufficient Verification of Data Authenticity