CVE-2026-1997

MEDIUM

HP OfficeJet Pro - Info Disclosure

Title source: llm

Description

Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing (CORS) is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedded Web Server (EWS). Keeping CORS disabled unless explicitly required helps ensure that only trusted solutions can interact with the device.

References (1)

[Vendor Advisory] https://support.hp.com/us-en/document/ish_14051823-14051849-16/hpsbpi04086

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 0.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (41)

hp/d9l18a_firmware < 001.2602a

hp/d9l20a_firmware < 001.2602b

hp/d9l21a_firmware < 001.2602b

hp/d9l63a_firmware < 001.2602b

hp/d9l64a_firmware < 001.2602b

hp/g5j38a_firmware < 001.2602a

hp/g5j56a_firmware < 001.2602a

hp/j3p65a_firmware < 001.2602b

hp/j3p66a_firmware < 001.2602b

hp/j3p67a_firmware < 001.2602b

... and 31 more

Published Feb 10, 2026

Tracked Since Feb 18, 2026