CVE-2025-13826 - Vulnerability Details

- Incorrect input validation on the Zervit portable HTTP/Web server

Description

Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application.

Published: 2026-04-21

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Zervit's portable HTTP/web server fails to validate user input when a configuration reset request is processed. A remote attacker can send specially crafted requests that cause the server to stop responding, leading to a denial‑of‑service condition. Because the flaw only affects availability, confidentiality or integrity remain unchanged.

Affected Systems

The vulnerability affects Zervit’s portable HTTP/Web server. No specific product versions are listed, so any installation of the portable HTTP/Web server is potentially impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability. The EPSS score is below 1 %, implying a low likelihood of exploitation, and it is not yet listed in CISA’s KEV catalog. The attack requires remote access to the server, typically via an HTTP request to the configuration reset endpoint. The attacker can trigger a DoS by sending malformed or oversized input that bypasses the server’s validation logic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Zervit

portable HTTP/Web server

unaffected

Version	Status	Constraints
`0`	affected	—

No data.

Vendor Product Confidence Versions

Zervit

Portable Http/web Server

100%

Version	Status	Scheme	Platform
`0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied patches or upgrade to a newer release of the portable HTTP/Web server where input validation of reset requests is fixed.
If a patch is unavailable, block or restrict access to the configuration reset endpoint using firewall rules or by disabling the feature on the production instance.
Monitor inbound traffic and logs for abnormal reset request patterns and schedule periodic application restarts to mitigate any transient service disruption.

Generated by OpenCVE AI on April 21, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00253.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server

History

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zervit portable Http/web Server
Vendors & Products		Zervit portable Http/web Server

Tue, 21 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application.
Title		Incorrect input validation on the Zervit portable HTTP/Web server
First Time appeared		Zervit Zervit portable Http Web Server
Weaknesses		CWE-20
CPEs		cpe:2.3:a:zervit:portable_http_web_server:0:::::::*
Vendors & Products		Zervit Zervit portable Http Web Server
References		https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L'}`

Subscriptions

Zervit Portable Http/web Server Portable Http Web Server

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-04-21T08:19:57.983Z

Updated: 2026-04-21T13:23:30.712Z

Reserved: 2025-12-01T14:33:41.665Z

Link: CVE-2025-13826

Vulnrichment

Updated: 2026-04-21T13:23:23.370Z

NVD

Status : Deferred

Published: 2026-04-21T09:16:06.087

Modified: 2026-06-17T08:34:50.203

Link: CVE-2025-13826

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:46:41Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object