Description
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device.

It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.
Published: 2026-03-31
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking that may expose sensitive data or enable phishing
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises from an insecure communication channel between the PaperCut NG/MF Embedded application on Konica Minolta devices and the PaperCut server. Because the channel does not encrypt data, an attacker can intercept session information, leading to session hijacking. The primary impact is potential disclosure of sensitive data and the ability to launch phishing attacks against the device user. This weakness corresponds to the under‑used category of clear‑text transmission of sensitive information.

Affected Systems

The affected product is PaperCut NG/MF, specifically the embedded application that runs on Konica Minolta multi‑function devices. No specific product version references were supplied, so all versions of the embedded app distributed by PaperCut for Konica Minolta devices are considered vulnerable.

Risk and Exploitability

The CVSS score of 3.6 indicates a low security impact under the current scoring methodology, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to be able to observe or intercept communications between the device and its server, which may be possible on the same network or via a compromised server. While the risk surface is limited, the possibility of data theft or user deception warrants careful assessment by customers operating vulnerable devices.

Generated by OpenCVE AI on April 3, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PaperCut NG/MF patch or update to a version that secures the communication channel between the embedded application and the server.
  • Ensure that all traffic between the embedded application and the PaperCut server uses secure transport (HTTPS/TLS) and that certificates are properly validated.
  • Monitor network traffic and device logs for signs of session hijacking or suspicious activity.

Generated by OpenCVE AI on April 3, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Papercut papercut Mf Konica Minolta
CPEs cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
cpe:2.3:a:papercut:papercut_mf_konica_minolta:*:*:*:*:*:*:*:*
Vendors & Products Papercut papercut Mf Konica Minolta
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Papercut
Papercut papercut Mf
Vendors & Products Papercut
Papercut papercut Mf

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device. It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.
Title Session hijacking in PaperCut NG/MF embedded application for Konica Minolta devices
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 3.6, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U'}

Subscriptions

Papercut Papercut Mf Papercut Mf Konica Minolta
cve-icon MITRE

Status: PUBLISHED

Assigner: PaperCut

Published:

Updated: 2026-03-31T13:59:35.485Z

Reserved: 2026-03-29T22:32:07.583Z

Link: CVE-2026-5115

cve-icon Vulnrichment

Updated: 2026-03-31T13:59:32.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:36.900

Modified: 2026-04-03T18:11:36.917

Link: CVE-2026-5115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:18Z

Weaknesses