CVE-2026-2752
5.3 MEDIUMNavtor NavBox allows information disclosure via the /api/ais-data endpoint
Published: 2026-03-06 · Last updated: 2026-06-15
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-209
Affected products
| Vendor | Product |
|---|---|
| navtor | navbox_firmware |
Description
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-2754 — Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints (7.5 HIGH)
- CVE-2026-2753 — An Absolute Path Traversal vulnerability exists in Navtor NavBox (7.5 HIGH)
Same CWE
- CVE-2026-47248 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js
- CVE-2026-40997 — Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semant... (5.3 MEDIUM)
- CVE-2026-41730 — Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer intern... (5.3 MEDIUM)
- CVE-2025-52611 — HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability (3.1 LOW)
- CVE-2025-52606 — HCL iControl was affected by Weak Input Validation vulnerability (4.3 MEDIUM)