Nerves-Hub Nerves Hub Web vulnerabilities
2 known vulnerabilities affecting nerves-hub/nerves_hub_web.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1
Vulnerabilities
Page 1 of 1
CVE-2026-28806P2HIGHCVSS 8.8≥ 1.0.0, < 2.4.0≥ adaeefdb7a835525482588f43332ef988cc448c7, < 1f69c9d595684a4650c3ac702f3dc7c5bcd7526c2026-03-10
CVE-2026-28806 [HIGH] CWE-285 CVE-2026-28806: Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device c
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.
Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of th
nvd
CVE-2025-64097P3CRITICALCVSS 9.8v>= 1.0.0, < 2.3.02026-01-22
CVE-2025-64097 [CRITICAL] CWE-330 CVE-2025-64097: NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of device
NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and
nvd