CVE-2026-7671 - Vulnerability Details

- CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication

Description

A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-02

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the two‑factor authentication module of CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows an attacker to bypass the normal restriction on excessive authentication attempts. This improper limitation enables the attacker to attempt repeated logins from a remote location, potentially leading to account compromise. The flaw aligns with CWE‑307 (Improper Restriction of Excessive Authentication Attempts) and CWE‑799 (Authentication Bypass).

Affected Systems

The affected product is CodeWise Tornet Scooter Mobile App version 4.75, both on iOS and Android platforms. The issue originates in an unknown function within the file /TwoFactor and is observable when the app is installed on target devices.

Risk and Exploitability

The CVSS score is 6.3, indicating a medium risk, and the EPSS score is not available, so the likelihood of exploitation cannot be quantified; the vulnerability is not in CISA’s KEV catalog. It can be exploited remotely, and is described as complex and difficult, but because the flaw permits repeated authentication attempts it still poses a meaningful threat until a vendor fix is issued.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CodeWise

Tornet Scooter Mobile App

affected

Version	Status	Constraints
`4.75`	affected	—

No data.

Vendor Product Confidence Versions

Codewise

Tornet Scooter Mobile App

100%

Version	Status	Scheme	Platform
`4.75`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Reach out to CodeWise for remediation instructions or status on a fix.
Implement local controls such as limiting repeated authentication attempts or blocking the /TwoFactor interface if possible.
Regularly monitor security advisories and update the app as soon as a patch is released.

Generated by OpenCVE AI on May 3, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO
https://vuldb.com/submit/799987
https://vuldb.com/vuln/360819
https://vuldb.com/vuln/360819/cti

History

Mon, 04 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codewise Codewise tornet Scooter Mobile App
Vendors & Products		Codewise Codewise tornet Scooter Mobile App

Mon, 04 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 02 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication
Weaknesses		CWE-307 CWE-799
References		https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO https://vuldb.com/submit/799987 https://vuldb.com/vuln/360819 https://vuldb.com/vuln/360819/cti
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Codewise Tornet Scooter Mobile App

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-02T23:30:13.982Z

Updated: 2026-05-04T13:08:10.082Z

Reserved: 2026-05-02T08:14:48.421Z

Link: CVE-2026-7671

Vulnrichment

Updated: 2026-05-04T13:08:06.236Z

NVD

Status : Deferred

Published: 2026-05-03T00:16:16.157

Modified: 2026-05-04T15:19:34.637

Link: CVE-2026-7671

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T16:06:42Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object