Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device.
It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.
AnalysisAI
PaperCut NG/MF embedded application on Konica Minolta multifunction devices transmits sensitive session data over an insecure communication channel, enabling session hijacking and potential credential theft or phishing attacks against end users. The vulnerability affects all versions of the embedded application and was discovered internally by PaperCut; no public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
PaperCut NG/MF is a print management solution that includes an embedded application interface running on multifunction device touch screens. The vulnerability stems from CWE-319 (Cleartext Transmission of Sensitive Information), where the communication channel between the embedded application and the PaperCut server fails to implement proper encryption or secure transport mechanisms. This allows an attacker positioned on the network (or with access to the device's communication path) to intercept session tokens, authentication credentials, or other sensitive data transmitted in cleartext, facilitating unauthorized access or credential-based attacks.
RemediationAI
Organizations should contact PaperCut support and consult the security bulletin at https://www.papercut.com/kb/Main/papercut-ng-mf-security-bulletin-march-2026/ for vendor-released patches or firmware updates addressing the insecure communication channel. Until patches are available, implement network-level mitigations including segregation of multifunction devices onto a dedicated print management VLAN with encrypted tunnel access to the PaperCut server, implementation of VPN or IPsec encryption for device-to-server communication, and monitoring of network traffic for suspicious session activity. Administrators should review device access logs and reset user credentials as a precautionary measure.
More in Papercut Ng Mf
View allPaperCut MF version 25.0.4 allows authenticated administrators to read arbitrary files on the server through insufficien
Stored cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF versions before 25.0.10 allow authenticated administ
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17273