CVE-2026-12183
published 2026-06-13CVE-2026-12183: Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.55%
41.7th percentile
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=&pwd=), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nefteprodukttekhnika_llc | buk_ts-g_gas_station_automation_system | 2.9.1 – 2.10.2 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_oracle5.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Nefteprodukttekhnika BUK TS-G Gas Station Automation System up to 2.10.2 on Linux System Configuration /php/ajax-login.php improper authentication (EUVD-2026-36653)
vuldb·2026-06-14·CVSS 9.8
CVE-2026-12183 [CRITICAL] Nefteprodukttekhnika BUK TS-G Gas Station Automation System up to 2.10.2 on Linux System Configuration /php/ajax-login.php improper authentication (EUVD-2026-36653)
A vulnerability identified as critical has been detected in Nefteprodukttekhnika BUK TS-G Gas Station Automation System up to 2.10.2 on Linux. The affected element is an unknown function of the file /php/ajax-login.php of the component System Configuration Module. Performing a manipulation results in improper authentication.
This vulnerability is reported as CVE-2026-12183. The attack is possible to be carried out remotely. No exploit exists.
GHSA
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module.
ghsa_unreviewed·2026-06-13
CVE-2026-12183 [CRITICAL] CWE-287 Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module.
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=&pwd=), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules.
Oracle
Oracle Oracle Java SE Risk Matrix: Mission Control (lz4-java) — CVE-2025-12183
vendor_oracle·2026-01-15·CVSS 5.4
CVE-2025-12183 [HIGH] Oracle Oracle Java SE Risk Matrix: Mission Control (lz4-java) — CVE-2025-12183
Oracle Oracle Java SE Risk Matrix: Mission Control (lz4-java) vulnerability
CVE: CVE-2025-12183
CVSS: 5.4
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-13
Published