CVE-2026-2754

HIGH

Navtor NavBox - Info Disclosure

Title source: llm

Description

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

Exploits (2)

nomisec STUB 1 stars

by PegasusMetaSec · poc

https://github.com/PegasusMetaSec/Pegasus-CVE-2026-2754-Framework-

View Code ZIP pw:eip

nomisec STUB 1 stars

by PegasusMetaSec · poc

https://github.com/PegasusMetaSec/PEGASUS-CVE-2026-2754

View Code ZIP pw:eip

References (2)

[Various Sources] https://www.navtor.com/navtor-vendor-statement

[Various Sources] https://cydome.io/vulnerability-advisory-cve-2026-2754-in-navtor-navbox-version-4-12-0-3

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-306

Status published

Products (2)

Navtor/NavBox 4.12.0.3

Navtor/NavBox 4.16.2.4

Published Mar 06, 2026

Tracked Since Mar 06, 2026