Description
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
Published: 2026-04-28
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account lockout denial of service
Action: Apply Patch
AI Analysis

Impact

A legitimate authenticated user can send a specially crafted request that forces another user account into a lockout state, preventing that account from logging in. This results in a denial of service for the targeted users and can degrade the overall availability of the Cryptobox service.

Affected Systems

Ercom Cryptobox, versions before 4.40.177 are vulnerable. The issue is reported for version 4.40.175 and any earlier detailed releases that have not applied the fix.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated session within Cryptobox and involves sending a crafted request; remote code execution or privilege escalation are not supported by the current description.

Generated by OpenCVE AI on April 28, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cryptobox to version 4.40.177 or later.
  • Limit the ability to trigger account lockouts to users with appropriate administrative privileges.
  • Enable monitoring of lockout events and alert administrators when abnormal lockout attempts are detected.

Generated by OpenCVE AI on April 28, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*
cpe:2.3:a:ercom:cryptobox:4.40.175:*:*:*:*:*:*:*

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
Title Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout
First Time appeared Ercom
Ercom cryptobox
Weaknesses CWE-694
CPEs cpe:2.3:a:ercom:cryptobox:*:*:*:*:*:*:*:*
cpe:2.3:a:ercom:cryptobox:4.40.175:*:*:*:*:*:*:*
Vendors & Products Ercom
Ercom cryptobox
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Ercom Cryptobox
cve-icon MITRE

Status: PUBLISHED

Assigner: THA-PSIRT

Published:

Updated: 2026-04-29T14:06:08.155Z

Reserved: 2026-04-08T13:20:07.168Z

Link: CVE-2026-5794

cve-icon Vulnrichment

Updated: 2026-04-28T18:33:53.379Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:47.390

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-5794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses