Description
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Assess Impact
AI Analysis

Impact

The flaw allows an attacker connected to the device’s local network to interact with the Bluetooth Low Energy interface without any form of authentication, effectively bypassing access controls. Because authentication is missing, an attacker can manipulate functionality of the component, potentially altering settings or extracting sensitive data that the device processes or stores. The impact is confined to the device’s internal state and the information it handles, but a compromised device can be used as an uncontrolled endpoint in further attacks.

Affected Systems

The vulnerability is present in Flycatcher Toys smART Pixelator 2.0, specifically within its Bluetooth Low Energy component. No other versions or variants are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not in the CISA KEV catalog, implying it has not been widely leveraged in known exploits. However, the exploit is publicly available and can be executed from the local network, meaning any device on the same LAN or local segment is potentially vulnerable. Without an official vendor fix, the risk relies on the attacker’s presence on the local network and their ability to interact with the BLE interface.

Generated by OpenCVE AI on April 17, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or block the BLE interface on the device if it is not required for operation.
  • Contact Flycatcher Toys urgently and install any firmware update that addresses the authentication issue as soon as it becomes available.
  • Place the device on an isolated network segment and monitor Bluetooth traffic for anomalous connections, blocking any unapproved devices at the network boundary.

Generated by OpenCVE AI on April 17, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Flycatcher
Flycatcher smart Pixelator
Flycatcher smart Pixelator Firmware
Weaknesses CWE-862
CPEs cpe:2.3:h:flycatcher:smart_pixelator:2.0:*:*:*:*:*:*:*
cpe:2.3:o:flycatcher:smart_pixelator_firmware:-:*:*:*:*:*:*:*
Vendors & Products Flycatcher
Flycatcher smart Pixelator
Flycatcher smart Pixelator Firmware

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Flycatcher Toys
Flycatcher Toys smart Pixelator
Vendors & Products Flycatcher Toys
Flycatcher Toys smart Pixelator

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Flycatcher Smart Pixelator Smart Pixelator Firmware
Flycatcher Toys Smart Pixelator
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:27:42.050Z

Reserved: 2026-02-06T06:56:14.457Z

Link: CVE-2026-2065

cve-icon Vulnrichment

Updated: 2026-02-06T20:15:25.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:12.270

Modified: 2026-03-05T20:52:26.223

Link: CVE-2026-2065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses