Description
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because VINCE versions 3.0.38 and earlier do not properly verify the authenticity of the From address when processing incoming emails. This misinterpretation of encoding allows an attacker to craft an email that appears to come from a trusted source, causing the system to perform automated actions such as ticket creation or updates without proper authorization. The impact is the ability to create, modify, or delete tickets in the system, leading to potential data integrity and confidentiality problems.

Affected Systems

VINCE email processing system from CERT/CC. Versions 3.0.38 and earlier are affected.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available. Despite the lack of public exploitation metrics, the flaw allows an attacker to bypass authentication checks by sending fraudulent emails to the system, which can be performed remotely over the network. Because the exploit requires only the ability to send an email address to the system, the attack vector is likely remote and does not demand local access. The potential for widespread unauthorized ticket manipulation makes it a high‑severity risk.

Generated by OpenCVE AI on May 7, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a supported VINCE version that includes the fix for From address verification.
  • Deploy or enable SPF, DKIM, and DMARC policy checks for inbound mail to help validate the From address before processing.
  • Restrict automated ticket actions to authenticated users or verified email domains within the system’s configuration.
  • Monitor logs for abnormal ticket creation or update patterns.

Generated by OpenCVE AI on May 7, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-284

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
Title CVE-2026-8142
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-07T19:54:49.275Z

Reserved: 2026-05-07T19:50:29.029Z

Link: CVE-2026-8142

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:45.670

Modified: 2026-05-07T20:32:47.823

Link: CVE-2026-8142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses