CVE-2026-22312
published 2026-06-16CVE-2026-22312: The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to…
PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
0.23%
13.9th percentile
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration
and execute some commands (e.g. system reboot).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radiflow | isap_smart_collector | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Radiflow iSAP Smart Collector 3.07-1 API hard-coded credentials
vuldb·2026-06-16·CVSS 8.6
CVE-2026-22312 [HIGH] Radiflow iSAP Smart Collector 3.07-1 API hard-coded credentials
A vulnerability marked as critical has been reported in Radiflow iSAP Smart Collector 3.07-1. Impacted is an unknown function of the component API. This manipulation causes hard-coded credentials.
This vulnerability is handled as CVE-2026-22312. The attack can be initiated remotely. There is not any exploit available.
GHSA
The device has a webserver that exposes a REST API authenticated with a constant token.
ghsa_unreviewed·2026-06-16
CVE-2026-22312 [HIGH] CWE-798 The device has a webserver that exposes a REST API authenticated with a constant token.
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration
and execute some commands (e.g. system reboot).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published