Description
Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of sensitive information
Action: Vendor Patch
AI Analysis

Impact

The vulnerability is a missing authentication flaw that lets attackers, without valid credentials, call specific functions on the Vitals ESP service to retrieve confidential data. This breach of confidentiality is the primary harm, allowing remote actors to obtain sensitive information exposed by the application.

Affected Systems

Galaxy Software Services’ Vitals ESP product is affected. No specific version range is given in the advisory, so all deployed instances of Vitals ESP could be vulnerable until the vendor issues a fix.

Risk and Exploitability

The CVSS score of 8.7 marks it as high severity. The exploit probability is not estimated in the advisory. It is not listed in the CISA KEV catalog. Exploitation requires simply sending HTTP requests to the exposed endpoints; no authentication is needed, making it straightforward for attackers who can reach the service.

Generated by OpenCVE AI on March 24, 2026 at 06:21 UTC.

Remediation

Vendor Solution

Contact the vendor to obtain the patch.

OpenCVE Recommended Actions

  • Contact Galaxy Software Services to obtain the patch.
  • Apply the vendor patch once available.
  • Restrict network access to the Vitals ESP service with firewall rules to limit exposure if a patch cannot be applied immediately.

Generated by OpenCVE AI on March 24, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Gss
Gss vitalsesp
CPEs cpe:2.3:a:gss:vitalsesp:*:*:*:*:*:*:*:*
Vendors & Products Gss
Gss vitalsesp

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Galaxy Software Services Corporation
Galaxy Software Services Corporation vitals Esp
Vendors & Products Galaxy Software Services Corporation
Galaxy Software Services Corporation vitals Esp

Tue, 24 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Vitals ESP developed by Galaxy Software Services has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to execute certain functions to obtain sensitive information.
Title Galaxy Software Services|Vitals ESP - Missing Authentication
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Galaxy Software Services Corporation Vitals Esp
Gss Vitalsesp
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-03-24T14:32:28.738Z

Reserved: 2026-03-23T10:47:15.457Z

Link: CVE-2026-4640

cve-icon Vulnrichment

Updated: 2026-03-24T14:32:25.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T05:16:25.387

Modified: 2026-04-15T16:27:42.610

Link: CVE-2026-4640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:08Z

Weaknesses