CVE-2026-5246
LOW EPSS 45.3%
Published Apr 2, 20262mo ago · Modified Jun 17, 20261w ago
2.9 CVSS 4.0
Published Apr 2, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
45.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-285
CWE-639
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| cesanta | mongoose | * | ≥7.0 – <7.21 |
References 6
- github.com https://github.com/cesanta/mongoose/
- github.com https://github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1
- github.com https://github.com/cesanta/mongoose/releases/tag/7.21
- vuldb.com https://vuldb.com/submit/770104
- vuldb.com https://vuldb.com/vuln/354827
- vuldb.com https://vuldb.com/vuln/354827/cti
Remediation
- github.com https://github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1