Description
A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.
Published: 2026-05-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A code injection vulnerability exists in the WebSocket API component of AV Stumpfl Pixera Two Media Server up to version 25.2 R2. The flaw permits an attacker to execute arbitrary server‑side code, potentially compromising confidentiality, integrity, and availability of the application and underlying host system.

Affected Systems

The affected product is AV Stumpfl Pixera Two Media Server. All releases up to 25.2 R2 are vulnerable. The vendor recommends upgrading to version 25.2 R3 to remediate the issue.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity impact. EPSS data is not available, so the exploit probability is unknown, but the vulnerability is confirmed and exploits have been published, making it likely to be used by adversaries. The threat vector is remote, inferred from the description that the attack can be initiated remotely. The vulnerability is not listed in the CISA KEV catalog, but the presence of a published exploit and the potential for remote code execution make it a significant risk to affected deployments.

Generated by OpenCVE AI on May 3, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pixera Two Media Server to version 25.2 R3.
  • Disable or restrict access to the WebSocket API endpoints (e.g., via firewall ACLs or server configuration) until the upgrade is completed.
  • Deploy a Web Application Firewall or equivalent mechanism to filter malicious WebSocket payloads and enforce strict input validation, mitigating injection patterns identified by CWE-74 and CWE-94.

Generated by OpenCVE AI on May 3, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.
Title AV Stumpfl Pixera Two Media Server Websocket API code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T16:15:11.382Z

Reserved: 2026-05-02T20:40:52.806Z

Link: CVE-2026-7703

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T17:16:13.393

Modified: 2026-05-03T17:16:13.393

Link: CVE-2026-7703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T18:00:12Z

Weaknesses