Description
A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device.
Published: 2026-04-24
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Configuration compromise
Action: Contact Vendor
AI Analysis

Impact

A flaw in the SenseLive X3050’s web management interface permits state‑changing operations without Cross‑Site Request Forgery protections. Because the device lacks server‑side validation of request origin or CSRF tokens, an attacker could host a malicious webpage that causes a victim’s browser to submit unauthorized configuration requests to the device. This can lead to unintended configuration changes that may enable further compromise or disrupt device operation. The weakness is identified as CWE‑352: Cross‑Site Request Forgery.

Affected Systems

The vulnerability affects SenseLive devices running the X3050 model. No specific firmware or build numbers are listed, so any deployed X3050 device that has not applied a vendor‑issued fix is potentially exposed.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, while the EPSS score of less than 1 % shows that exploits are not widely active yet. The vulnerability is not currently listed in the CISA KEV catalog. Likely exploitation requires the victim to visit a malicious site or receive a loaded link, after which the attacker can submit configuration changes through the victim’s browser. While the probability is low, the impact of a successful attack could be significant, allowing an attacker to alter device settings, disable security features, or prepare the device for additional attacks.

Generated by OpenCVE AI on April 28, 2026 at 07:07 UTC.

Remediation

Vendor Solution

SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact

OpenCVE Recommended Actions

  • Contact SenseLive support for a firmware update or configuration guidance that addresses the CSRF vulnerability.
  • Restrict access to the device’s web management interface to trusted IP ranges or subnet(s) using firewall or NAT rules.
  • Implement VPN or strong authentication and enforce least‑privilege access when administering the device.
  • Deploy a web application firewall that detects and blocks cross‑site request forgery patterns or enforces same‑origin checks.

Generated by OpenCVE AI on April 28, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive x3500
Senselive x3500 Firmware
CPEs cpe:2.3:h:senselive:x3500:-:*:*:*:*:*:*:*
cpe:2.3:o:senselive:x3500_firmware:1.523:*:*:*:*:*:*:*
Vendors & Products Senselive x3500
Senselive x3500 Firmware

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Senselive
Senselive x3050
Vendors & Products Senselive
Senselive x3050

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device.
Title SenseLive X3050 Cross-Site request forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Senselive X3050 X3500 X3500 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-24T18:18:30.759Z

Reserved: 2026-04-14T15:57:14.980Z

Link: CVE-2026-27841

cve-icon Vulnrichment

Updated: 2026-04-24T16:50:43.813Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:26.933

Modified: 2026-04-28T19:32:20.600

Link: CVE-2026-27841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:25:29Z

Weaknesses