CVE-2026-26049
published 2026-02-20CVE-2026-26049: The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to…
PriorityP434medium5.7CVSS 3.1
AVNACLPRLUIRSUCHINAN
EPSS
0.28%
19.9th percentile
The web management interface of the device renders the passwords in a
plaintext input field. The current password is directly visible to
anyone with access to the UI, potentially exposing administrator
credentials to unauthorized observation via shoulder surfing,
screenshots, or browser form caching.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jinan_usr_iot_technology_limited | usr-w610 | <= 3.1.1.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Jinan USR IOT Technology Limited (PUSR) USR-W610
cisa_ics·2026-02-19·CVSS 7.5
[HIGH] Jinan USR IOT Technology Limited (PUSR) USR-W610
ICS Advisory
##
Jinan USR IOT Technology Limited (PUSR) USR-W610
Release DateFebruary 19, 2026
Alert CodeICSA-26-050-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could result in authentication being disabled, a denial-of-service condition, or an attacker stealing valid user credentials, including administrator credentials.
The following versions of Jinan USR IOT Technology Limited (PUSR) USR-W610 are affected:
- USR-W610 <=3.1.1.0 (CVE-2026-25715, CVE-2026-24455, CVE-2026-26049, CVE-2026-26048)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Jinan USR IOT Technology Limited (PUSR)
| Jinan USR IOT Technology Limited (PUSR) USR-W610
| Weak Pass
GHSA
GHSA-rxjp-cgw5-jfcg: The web management interface of the device renders the passwords in a
plaintext input field
ghsa_unreviewed·2026-02-20
CVE-2026-26049 [MEDIUM] CWE-522 GHSA-rxjp-cgw5-jfcg: The web management interface of the device renders the passwords in a
plaintext input field
The web management interface of the device renders the passwords in a
plaintext input field. The current password is directly visible to
anyone with access to the UI, potentially exposing administrator
credentials to unauthorized observation via shoulder surfing,
screenshots, or browser form caching.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-20
Published