CVE-2026-2754

Published: Mar 6, 2026Modified: Jun 5, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd (Secondary)

Description

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

Affected (1)

Products: Navtor: Navbox Firmware

1 product

Navbox Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Navtor Navbox Firmware	From 4.12.0.3 to 4.16.2.4

Running on/with	Platform Versions
Navtor Navbox	All versions

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd

Third Party Advisory

https://www.navtor.com/navtor-vendor-statement

Source: 56a186b1-7f5e-4314-ba38-38d5499fccfd

Vendor Advisory

Timeline

No history available yet.