CVE-2026-57920
Analyzed
Analyzed - Analysis Complete
Authentication Bypass via Semicolon in Peplink InControl 2
Vulnerability report for CVE-2026-57920, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-26
Last updated on: 2026-07-02
Assigner: MITRE
Description
Description
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peplink | intcontrol_2 | to 2.14.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-551 | If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. |