Filtered by vendor Evbee
Subscriptions
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22093 | 1 Evbee | 1 Evbee Service | 2026-07-13 | N/A |
| The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations. This issue affects EVbee Service: v1.4.101.00. | ||||
| CVE-2026-22095 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
| CVE-2026-22100 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root. | ||||
| CVE-2026-22096 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints. | ||||
| CVE-2026-22102 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means. | ||||
| CVE-2026-22099 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL. | ||||
| CVE-2026-22097 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution. | ||||
| CVE-2026-22098 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| Various sensitive information such as passwords and charging card UIDs are written to log files. | ||||
| CVE-2026-22103 | 1 Evbee | 1 Dc-80 | 2026-07-13 | N/A |
| The NPC start endpoint on the web server at port 8090 is vulnerable to command injection. | ||||
Page 1 of 1.