Description
Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.
Published: 2026-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Patch
AI Analysis

Impact

A path traversal flaw in the TRIFORA 3 series network cameras permits a logged-in user with monitoring or higher privileges to read arbitrary files from the device’s filesystem. The vulnerability is a classic content‑injection error (CWE‑22) that can lead to disclosure of configuration files, credentials, or other sensitive data, potentially compromising the camera’s security and the network it serves.

Affected Systems

Devices from TOA Corporation’s TRIFORA 3 series network cameras are affected. Specific firmware or model versions are not enumerated in the advisory, indicating that all publicly offered TRIFORA 3 cameras may be vulnerable until a corrected firmware release is deployed.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate to high impact, while the EPSS score of less than 1% suggests a low likelihood of public exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, and an attacker must be authenticated as at least a monitoring user to leverage the flaw. Consequently, the risk is primarily confined to environments where such accounts exist and the cameras are exposed to internal or trusted network traffic.

Generated by OpenCVE AI on April 18, 2026 at 05:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the camera’s firmware to a version that includes the path‑traversal fix, as detailed in TOA’s security advisory PDF.
  • Restrict or remove monitoring‑level user accounts from the camera’s configuration, ensuring only necessary privileged users exist.
  • Apply network segmentation or firewall rules to limit access to camera management interfaces to trusted hosts only.

Generated by OpenCVE AI on April 18, 2026 at 05:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Toa Corporation
Toa Corporation trifora 3 Series
Vendors & Products Toa Corporation
Toa Corporation trifora 3 Series
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Toa Corporation Trifora 3 Series
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-16T13:45:02.768Z

Reserved: 2026-01-14T04:14:36.610Z

Link: CVE-2026-22876

cve-icon Vulnrichment

Updated: 2026-01-16T13:44:58.307Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T09:16:23.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses