CVE-2026-23767 | ESC/POS, a printer control language designed by Seiko Epson … | CVSS 9.8 CRITICAL

Description

ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection.

Metadata

CVE ID: CVE-2026-23767
State: PUBLISHED
Assigner: jpcert
Reserved: 2026-01-16 02:20 UTC
Published: 2026-03-05 05:34 UTC
Last updated: 2026-03-06 10:21 UTC
Primary CWE: CWE-306
Missing authentication for critical function
Vendor / Product: Seiko Epson Corporation / ESC/POS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Seiko Epson Corporation	ESC/POS	—	All products implementing ESC/POS

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing authentication for critical function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)