CVE-2026-2754

HIGH

Navtor NavBox 4.12.0.3 and 4.16.2.4 - Unauthenticated Sensitive Data Exposure via HTTP API Endpoints

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2754. PoCs published by PegasusMetaSec.

AI-analyzed exploit summary The repository contains only a minimal README with no exploit code, technical details, or meaningful content. It appears to be a placeholder or stub.

Description

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

Exploits (2)

nomisec STUB 1 stars

by PegasusMetaSec · poc

https://github.com/PegasusMetaSec/Pegasus-CVE-2026-2754-Framework-

View Code ZIP pw:eip

The repository contains only a minimal README with no exploit code, technical details, or meaningful content. It appears to be a placeholder or stub.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 22, 2026 Full analysis →

nomisec STUB 1 stars

by PegasusMetaSec · poc

https://github.com/PegasusMetaSec/PEGASUS-CVE-2026-2754

View Code ZIP pw:eip

The repository contains only a minimal README with no exploit code, technical details, or meaningful content. It appears to be a placeholder or stub.

Classification

Stub 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 21, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources technical-description

https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3

Various Sources vendor-advisory

https://www.navtor.com/navtor-vendor-statement

Scores

CVSS v3 7.5

EPSS 0.0050

EPSS Percentile 38.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (3)

Navtor/NavBox 4.12.0.3

Navtor/NavBox 4.16.2.4

navtor/navbox_firmware 4.12.0.3 - 4.16.2.4

Published Mar 06, 2026

Tracked Since Mar 06, 2026