CVE-2026-8142
Vulnerability in VINCE due to From address spoofing
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cert_coordination_center | vince | to 3.0.38 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8142 affects VINCE versions 3.0.38 and earlier, where the system does not properly verify the authenticity of the From address due to encoding confusion.
This vulnerability allows the system to use a potentially spoofed From address for automated actions such as creating or updating tickets.
How can this vulnerability impact me? :
Because VINCE uses the From address for automated ticket creation and updates without proper verification, an attacker could spoof the From address to trigger unauthorized actions.
This could lead to unauthorized ticket creation or modification, potentially causing confusion, mismanagement of vulnerability reports, or exploitation of the coordination process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-8142 impacts compliance with common standards and regulations such as GDPR or HIPAA.