CVE-2026-2752
MEDIUMNavtor NavBox 4.12.0.3 and 4.16.2.4 - Unauthenticated Sensitive Information Disclosure via AIS-Data Endpoint
Title source: llmDescription
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
References (2)
Core 2
Core References
Various Sources technical-description
https://cydome.io/vulnerability-advisory-cve-2026-2752-in-navtor-navbox-version-4-12-0-3
Various Sources vendor-advisory
https://www.navtor.com/navtor-vendor-statement
Scores
CVSS v3
5.3
EPSS
0.0026
EPSS Percentile
17.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-209
Status
published
Products (3)
Navtor/NavBox
4.12.0.3
Navtor/NavBox
4.16.2.4
navtor/navbox_firmware
4.12.0.3 - 4.16.2.4
Published
Mar 06, 2026
Tracked Since
Mar 06, 2026