Description
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass and Privileged Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Voltronic Power SNMP Web Pro version 1.1 allows unauthenticated users to bypass authentication by modifying browser localStorage values. Attackers can change the client‑side authentication state that the server later trusts, thereby gaining access to privileged management functions without valid credentials. This defect is classified as CWE‑306: Missing Authentication.

Affected Systems

Affected systems are installations of Voltronic Power SNMP Web Pro version 1.1. The product is a web‑based SNMP management console that uses localStorage to store authentication tokens. No other versions or vendors are listed as affected. Users running this version should verify their firmware and apply any updates if available.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw, though the EPSS score of less than 1 % suggests limited exploitation in the wild. The vulnerability is not included in the CISA KEV catalog. An attacker can exploit the flaw by accessing the web interface from a browser and manipulating localStorage values, which the server blindly accepts. Once the state is altered, the attacker can call privileged API endpoints or perform sensitive actions normally restricted by authentication.

Generated by OpenCVE AI on April 27, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Voltronic Power that addresses the localStorage authentication bypass.
  • Limit access to the SNMP Web Pro interface to trusted administrators by restricting network reachability (for example, local‑network only or VPN).
  • As a temporary workaround, clear or disable the localStorage usage for authentication in the browser console or by blocking the relevant cookie/key via application settings if available.

Generated by OpenCVE AI on April 27, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L'}

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler without proper sanitization. Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials.
Title wpDiscuz before 7.6.47 - Stored Cross-Site Scripting via Malicious Options Import Voltronic Power SNMP Web Pro 1.1 Authentication Bypass via localStorage
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

 cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler without proper sanitization.
Title wpDiscuz before 7.6.47 - Stored Cross-Site Scripting via Malicious Options Import
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-79
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T18:34:51.911Z

Reserved: 2026-01-06T16:47:17.183Z

Link: CVE-2026-22192

cve-icon Vulnrichment

Updated: 2026-03-13T15:04:17.541Z

cve-icon NVD

Status : Modified

Published: 2026-03-13T19:54:09.507

Modified: 2026-04-22T19:17:00.303

Link: CVE-2026-22192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses