Navbox Firmware
CVE-2026-2753
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.
AnalysisAI
Navtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers to read arbitrary files from the server by submitting requests with absolute filesystem paths. Successful exploitation enables unauthorized disclosure of sensitive configuration files and system information, limited only by the service process privileges. No patch is currently available.
Technical ContextAI
An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration fil
RemediationAI
Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.
More in Navbox Firmware
View allHard-coded credentials embedded in NAVTOR NavBox's Windows Communication Foundation (SOAP) implementation allow a local
Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS info
The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allo
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today