Back to overview

CVE-2026-46458

HIGH
7.1
CVSS 4.0
Description
ICU Scandinavia Boomerang is vulnerable to an information disclosure flaw where sensitive credential files are exposed via static HTTP. This allows an unauthenticated remote attacker to retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot. This issue has been fixed in version 2.4.18.029

Metadata

CVE ID
CVE-2026-46458
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-05-14 14:11 UTC
Published
2026-07-15 12:51 UTC
Last updated
2026-07-15 13:02 UTC
Primary CWE
CWE-522
CWE-522 Insufficiently Protected Credentials
Vendor / Product
ICU Scandinavia / Boomerang
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
ICU Scandinavia Boomerang 0 < 2.4.18.029
Weakness (CWE)
CWESourceDescription
CWE-522 cna CWE-522 Insufficiently Protected Credentials
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview