Description
A weakness has been identified in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This affects an unknown function of the component rmon event Tab. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that allows an attacker to inject and execute arbitrary JavaScript in the context of users who view the affected event tab
Action: Assess Impact
AI Analysis

Impact

The flaw resides in the rmon event Tab component of BDCOM P3310D 0.4.2 10.1.0F Build 86345 and is triggered by manipulating the Description argument. An attacker can inject malicious JavaScript, which will run in the victim’s browser when the event tab is displayed. This enables session hijacking, data theft, or further compromise of the target system. The issue maps to CWE‑79 and CWE‑94, indicating unvalidated input and potential code injection.

Affected Systems

Vendor BDCOM, product P3310D, affected build 0.4.2 10.1.0F Build 86345. No other affected versions are listed.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild, yet public exploits are available. The CVE is not listed in the CISA KEV catalog. The vulnerability can be triggered remotely by sending a crafted request to the event‐tab endpoint, and once executed it runs code in the user’s browser. With no official vendor patch or workaround, the risk remains until mitigation measures are applied.

Generated by OpenCVE AI on April 28, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the rmon event Tab interface to trusted administrators by configuring firewall rules or VPN access only.
  • If a newer firmware version that fixes the flaw is available, upgrade; otherwise, change the web server configuration to sanitize or strip the Description field before rendering the event tab.
  • Deploy a stringent Content Security Policy on the web interface and monitor user agent logs for suspicious JavaScript payloads.

Generated by OpenCVE AI on April 28, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdcom
Bdcom p3310d
Vendors & Products Bdcom
Bdcom p3310d

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in BDCOM P3310D 0.4.2 10.1.0F Build 86345. This affects an unknown function of the component rmon event Tab. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title BDCOM P3310D rmon event Tab cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bdcom P3310d
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:28:50.171Z

Reserved: 2026-04-24T19:57:56.589Z

Link: CVE-2026-6996

cve-icon Vulnrichment

Updated: 2026-04-27T13:28:39.452Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T20:16:18.233

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses