Description
Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing arbitrary script execution in the camera configuration web interface
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the settings page of TOA Corporation’s TRIFORA 3 series network cameras. When an administrator supplies malicious input during configuration, the browser rendering the admin interface can execute client‑side code. This allows arbitrary script execution in the context of the administrative user’s browser. The weakness maps to CWE‑79.

Affected Systems

The vulnerability affects the TRIFORA 3 series cameras from TOA Corporation. No specific firmware or version numbers are listed in the advisory, so any device running the current software identified as TRIFORA 3 is potentially exposed.

Risk and Exploitability

The CVSS base score of 4.8 classifies the flaw as medium severity. The EPSS score of less than 1% indicates a very low exploitation probability, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must have administrative access to the camera and be able to supply malicious input into the configuration interface, which limits the attack vector and reduces the likelihood of widespread impact.

Generated by OpenCVE AI on April 18, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for TRIFORA 3 cameras as referenced in the vendor advisory (https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf).
  • Restrict access to the camera configuration interface to trusted IP ranges or internal networks to reduce exposure to potential attackers.
  • Implement input validation and proper output encoding (e.g., escaping) on the camera’s web interface to mitigate XSS, following best practices for CWE‑79.

Generated by OpenCVE AI on April 18, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in TOA TRIFORA 3 Network Camera Setup Screen

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Toa Corporation
Toa Corporation trifora 3 Series
Vendors & Products Toa Corporation
Toa Corporation trifora 3 Series
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 4.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Toa Corporation Trifora 3 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-16T13:45:31.792Z

Reserved: 2026-01-14T04:14:33.376Z

Link: CVE-2026-20894

cve-icon Vulnrichment

Updated: 2026-01-16T13:45:28.313Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T09:16:22.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses