Description
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

NavBox’s /api/ais-data endpoint is vulnerable to an unhandled exception that returns verbose .NET stack traces when a remote attacker sends crafted requests. The resulting error messages reveal internal class names, method calls, and third‑party library references such as System.Data.SQLite, thereby exposing the application’s internal structure. This behavior corresponds to an information‑disclosure weakness (CWE‑209).

Affected Systems

The affected product is Navtor NavBox; no specific affected versions are listed in the CVE payload.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible over the network by any host capable of issuing HTTP requests to the /api/ais-data endpoint; authentication is not required.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NavBox to a version with the exception handling fix.
  • Configure the application to suppress detailed stack traces in production environments by setting appropriate error‑handling options.
  • Restrict or throttle access to the /api/ais-data endpoint, for example by implementing authentication or firewall rules.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Title Information Disclosure via Verbose .NET Stack Traces in NavBox /api/ais-data

Tue, 10 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
References

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Navtor
Navtor navbox
Vendors & Products Navtor
Navtor navbox

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Navtor Navbox
cve-icon MITRE

Status: PUBLISHED

Assigner: MHV

Published:

Updated: 2026-03-10T15:48:32.979Z

Reserved: 2026-02-19T14:48:27.721Z

Link: CVE-2026-2752

cve-icon Vulnrichment

Updated: 2026-03-09T15:22:26.593Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T15:16:10.987

Modified: 2026-03-10T18:18:49.663

Link: CVE-2026-2752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses