Jithin Nambiar J

12 exploits Active since Apr 2026
CVE-2026-6824 WRITEUP HIGH WRITEUP
CP Plus 8 Ch. Network Video Recorder Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
CVSS 8.4
CVE-2026-25775 WRITEUP CRITICAL WRITEUP
SenseLive X3050 Missing authentication for critical function
A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.
CVSS 9.8
CVE-2026-27841 WRITEUP HIGH WRITEUP
SenseLive X3050 Cross-Site request forgery
A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device.
CVSS 8.1
CVE-2026-27843 WRITEUP CRITICAL WRITEUP
SenseLive X3050 Missing authentication for critical function
A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems.
CVSS 9.1
CVE-2026-35064 WRITEUP HIGH WRITEUP
SenseLive X3050 Missing authentication for critical function
A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices.
CVSS 7.5
CVE-2026-35503 WRITEUP CRITICAL WRITEUP
SenseLive X3050 Use of Hard-coded Credentials
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality.
CVSS 9.8
CVE-2026-39462 WRITEUP HIGH WRITEUP
SenseLive X3050 Insufficiently Protected Credentials
A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseLive Config 2.0 tool, the interface may indicate that the password update was successful; however, the system may continue to accept the previous or default credentials, demonstrating that the password-change process is not consistently enforced. Even after a factory reset, attempted password changes may fail to propagate correctly.
CVSS 8.1
CVE-2026-40431 WRITEUP MEDIUM WRITEUP
SenseLive X3050 Cleartext transmission of sensitive information
A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information.
CVSS 5.3
CVE-2026-40620 WRITEUP CRITICAL WRITEUP
SenseLive X3050 Missing authentication for critical function
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client.
CVSS 9.8
CVE-2026-40623 WRITEUP HIGH WRITEUP
SenseLive X3050 Missing Authorization
A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchdog timers, reconnect intervals, and service ports can be set to unsupported or unsafe values. These configuration changes directly affect core device behaviour and recovery mechanisms. The lack of proper validation and safeguards allows critical system functions to be altered in a manner that can destabilize device operation or render the device persistently unavailable.
CVSS 8.1
CVE-2026-25720 WRITEUP MEDIUM WRITEUP
SenseLive X3050 Insufficient session expiration
A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased.
CVSS 5.4
CVE-2026-40630 WRITEUP CRITICAL WRITEUP
SenseLive X3050 Authentication bypass using an alternate path or channel
A vulnerability in  SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions.
CVSS 9.8