Description
Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heptabase, developed by Hepta Platforms, contains an exposed dangerous method that can be invoked by unauthenticated remote actors. By tricking a user into loading a malicious web page within the application, the attacker can gain direct access to the victim’s camera and microphone, thereby violating privacy and enabling covert surveillance. The weakness is classified as CWE-749, highlighting the risk of exposing dangerous functionality.

Affected Systems

All versions of Heptabase released by Hepta Platforms prior to version 1.90.2 are vulnerable. The vendor recommends updating to version 1.90.2 or later to remedy the exposed method. No further version granularity is available from the vendor.

Risk and Exploitability

The CVSS score of 6.9 signifies moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a social‑engineering step: an attacker must persuade a user to load a malicious page inside Heptabase, after which the exposed method can access camera and microphone. Although the attack is remote and user‑dependent, the potential for privacy violation remains significant.

Generated by OpenCVE AI on June 12, 2026 at 07:50 UTC.

Remediation

Vendor Solution

Please update to version 1.90.2 or later.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to version 1.90.2 or newer.
  • Disable or restrict the ability of users to load external web pages within the Heptabase application.
  • Limit camera and microphone permissions for the application or enforce explicit user consent policies.
  • Provide user awareness training to recognize phishing attempts that prompt for camera or microphone access.

Generated by OpenCVE AI on June 12, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hepta Platforms
Hepta Platforms heptabase
Vendors & Products Hepta Platforms
Hepta Platforms heptabase

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.
Title Hepta Platforms|Heptabase - Exposed Dangerous
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hepta Platforms Heptabase
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-12T13:54:04.105Z

Reserved: 2026-06-12T06:01:43.245Z

Link: CVE-2026-12060

cve-icon Vulnrichment

Updated: 2026-06-12T13:53:58.161Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T07:16:21.090

Modified: 2026-06-12T16:00:18.860

Link: CVE-2026-12060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:00Z

Weaknesses
  • CWE-749

    Exposed Dangerous Method or Function