Description
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because VINCE versions 3.0.38 and earlier do not properly verify the authenticity of the From address when processing incoming emails. This misinterpretation of encoding allows an attacker to craft an email that appears to come from a trusted source, causing the system to perform automated actions such as ticket creation or updates without proper authorization. The flaw is a classic input validation and authentication bypass weakness.

Affected Systems

VINCE email processing system from CERT/CC. Versions 3.0.38 and earlier are affected.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and the EPSS score is < 1%. Despite the low exploitation probability, the flaw allows an attacker to bypass authentication checks by sending fraudulent emails to the system, which can be performed remotely over the network. Because the exploit requires only the ability to send an email to the system, the attack vector is likely remote and does not demand local access. The potential for widespread unauthorized ticket manipulation, combined with a CVSS score of 6.5, indicates a medium‑severity risk.

Generated by OpenCVE AI on May 8, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a supported VINCE version that includes the fix for From address verification.
  • Deploy or enable SPF, DKIM, and DMARC policy checks for inbound mail to help validate the From address before processing.
  • Restrict automated ticket actions to authenticated users or verified email domains within the system’s configuration.
  • Monitor logs for abnormal ticket creation or update patterns.

Generated by OpenCVE AI on May 8, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Cert
Cert vince
Vendors & Products Cert
Cert vince

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-287

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-284

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-284

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Title CVE-2026-8142
References

Subscriptions

Cert Vince
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-05T16:26:58.167Z

Reserved: 2026-05-07T19:50:29.029Z

Link: CVE-2026-8142

cve-icon Vulnrichment

Updated: 2026-05-08T13:55:12.360Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:45.670

Modified: 2026-05-08T14:16:48.823

Link: CVE-2026-8142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:11:56Z

Weaknesses