Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered social engineering with no required privileges; scope unchanged within Heptabase; only confidentiality impacted via camera/microphone; required user interaction prevents PR:N unauthenticated fully autonomous exploitation.
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.
AnalysisAI
Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.
Technical ContextAI
Heptabase (CPE: cpe:2.3:a:hepta_platforms:heptabase:*:*:*:*:*:*:*:*) is a knowledge management and note-taking application that embeds a web rendering context - likely an Electron-based or similar WebView framework - allowing web content to be loaded within the native application shell. CWE-749 (Exposed Dangerous Method or Function) identifies the root cause: the application surfaces browser-level media device APIs (camera and microphone) to embedded web content without enforcing the permission prompts or sandboxing boundaries that standard browser engines apply to untrusted origins. This is a well-documented class of vulnerability in Electron and WebView-based desktop applications, where the host process's elevated OS privileges bleed into the web content layer. An attacker-controlled webpage, when rendered inside Heptabase, can invoke these exposed media APIs directly, bypassing the OS-level permission model that would normally gate such access.
RemediationAI
Consult the TWCERT English advisory at https://www.twcert.org.tw/en/cp-139-10967-4947d-2.html for vendor patch guidance specific to CVE-2026-12060. No exact fixed version number is confirmed in the available intelligence data - the patched release version must be verified directly against Hepta Platforms' official release notes or update channels. As a compensating control pending patch confirmation, restrict Heptabase's access to camera and microphone at the operating system level: on macOS, navigate to System Settings > Privacy & Security > Camera/Microphone and revoke Heptabase's permissions; on Windows, use Settings > Privacy > Camera/Microphone to block the application. Note this trade-off may disable legitimate Heptabase collaboration or recording features. Additionally, train users to avoid opening unsolicited or unverified URLs inside the Heptabase application, particularly links received via email, messaging platforms, or social media. Monitoring for anomalous camera or microphone activation events via endpoint detection tooling provides a detection-layer compensating control.
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36390
GHSA-rp9c-2wcg-gqq5