Description
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Cryptobox's external sharing feature, allowing an attacker who knows a sharing link URL to obtain server-side information that can be used to perform an offline brute-force attack against the access code that protects the shared content. This flaw permits unauthorized reading or copying of data that was intended to remain confidential to the designated recipients, aligning with CWE‑280’s description of insecure private credential storage or leakage.

Affected Systems

The product affected is Ercom Cryptobox. No specific version numbers were supplied in the CNA data.

Risk and Exploitability

The reported CVSS score of 6.9 indicates a medium to high level of risk, and the CVE is not yet listed in the CISA KEV catalog. Because the flaw requires knowledge of a sharing link URL, an attacker typically must acquire the URL through legitimate or deceptive means; once the URL is in hand, the server does not protect the access code, allowing the attacker to conduct an offline brute‑force attempt. If successful, the attacker can obtain the confidential data shared via the link, meaning a moderate likelihood of exploitation combined with significant confidentiality impact. The absence of a public EPSS score suggests that, at present, the exploitability might not be widely observed, but the potential to compromise sensitive information remains.

Generated by OpenCVE AI on May 7, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cryptobox patch or upgrade to a version that fixes the external sharing link info disclosure.
  • Disable or restrict external sharing links until the vulnerability is resolved.
  • Enforce longer, more complex access codes for external shares to deter brute‑force attempts.

Generated by OpenCVE AI on May 7, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ercom
Ercom cryptobox
Vendors & Products Ercom
Ercom cryptobox

Thu, 07 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
Title Vulnerability on Cryptobox external sharing feature
Weaknesses CWE-280
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ercom Cryptobox
cve-icon MITRE

Status: PUBLISHED

Assigner: THA-PSIRT

Published:

Updated: 2026-05-07T13:39:33.124Z

Reserved: 2026-04-21T15:15:08.431Z

Link: CVE-2026-6805

cve-icon Vulnrichment

Updated: 2026-05-07T13:39:30.143Z

cve-icon NVD

Status : Received

Published: 2026-05-07T10:16:06.340

Modified: 2026-05-07T10:16:06.340

Link: CVE-2026-6805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T11:30:28Z

Weaknesses