CVE-2026-21404
6.3 MEDIUMNAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation
Published: 2026-06-04 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
- CWE
- CWE-798
Description
NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-47281 — Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
- CVE-2026-11414 — A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service
- CVE-2025-71317 — NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access (9.8 CRITICAL)
- CVE-2026-50213 — The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predi... (7.5 HIGH)
- CVE-2026-49204 — Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation (6.5 MEDIUM)