Description
Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.
Published: 2026-01-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch Firmware
AI Analysis

Impact

The EZCast Pro II dongle’s Admin UI contains multiple cross‑site scripting flaws that allow an attacker to inject and execute arbitrary JavaScript in the browsers of other Admin UI users. This flaw provides client‑side code execution whenever a vulnerable user interacts with the Admin UI, potentially enabling malicious scripts to run in the context of that user’s session.

Affected Systems

The affected product is the EZCast Pro II dongle; specifically firmware version 1.17478.146. Only devices that run this firmware are vulnerable. The device likely serves a local or access‑point network where the Admin UI is accessible over HTTP/HTTPS.

Risk and Exploitability

The CVSS score of 7.4 signals a high severity, but the EPSS score is below 1 %, indicating low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Attack can occur through the web‑based Admin UI, requiring a browser session with access to the dongle’s configuration interface, whether locally or via an exposed network port.

Generated by OpenCVE AI on April 18, 2026 at 18:47 UTC.

Remediation

Vendor Workaround

Until a firmware patch is made available by the vendor, users are advised to disconnect the dongle from their local network and limit its use strictly to Access Point functionality to minimize the attack surface.

OpenCVE Recommended Actions

  • Install any firmware update released by EZCast that addresses the XSS vulnerabilities.
  • Until a patch is available, disconnect the dongle from the local network and use it only for access‑point functionality as advised by the vendor.
  • Limit remote access to the Admin UI by blocking inbound connections from untrusted networks, or disable the Admin UI entirely if it is not required.

Generated by OpenCVE AI on April 18, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hub.ntc.swiss/ntcf-2025-145332 cve-icon cve-icon
History

Thu, 05 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Nimbletech
Nimbletech ezcast Pro Dongle Ii
Nimbletech ezcast Pro Dongle Ii Firmware
Weaknesses CWE-79
CPEs cpe:2.3:h:nimbletech:ezcast_pro_dongle_ii:-:*:*:*:*:*:*:*
cpe:2.3:o:nimbletech:ezcast_pro_dongle_ii_firmware:1.17478.146:*:*:*:*:*:*:*
Vendors & Products Nimbletech
Nimbletech ezcast Pro Dongle Ii
Nimbletech ezcast Pro Dongle Ii Firmware
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Actions-micro
Actions-micro ezcast Pro Ii
Actions-micro ezcast Pro Ii Firmware
Vendors & Products Actions-micro
Actions-micro ezcast Pro Ii
Actions-micro ezcast Pro Ii Firmware

Tue, 27 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.
Title Multiple cross-site scripting vulnerabilities in EZCast Pro II Dongle
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U'}

Subscriptions

Actions-micro Ezcast Pro Ii Ezcast Pro Ii Firmware
Nimbletech Ezcast Pro Dongle Ii Ezcast Pro Dongle Ii Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-01-27T14:37:02.162Z

Reserved: 2026-01-22T12:55:22.578Z

Link: CVE-2026-24348

cve-icon Vulnrichment

Updated: 2026-01-27T14:36:56.030Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T10:15:49.360

Modified: 2026-02-05T17:24:11.120

Link: CVE-2026-24348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses