Is there a public PoC exploit available for CVE-2026-5574?

Yes, a public proof-of-concept exploit is available for CVE-2026-5574. Prioritise patching immediately. EPSS: 0.0%.

Hi Led Wr120 G2 CVE-2026-5574

Q: What is the CVSS score of CVE-2026-5574?

CVE-2026-5574 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19097 MEDIUM

Missing Authorization (CWE-862)

2026-04-05 VulDB

GHSA-c8wj-h7ff-q6mj

Authentication Bypass Hi Led Wr120 G2

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 05, 2026 - 15:00 euvd

EUVD-2026-19097

Analysis Generated

Apr 05, 2026 - 15:00 vuln.today

CVE Published

Apr 05, 2026 - 14:45 nvd

MEDIUM 6.9

DescriptionCVE.org

A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote unauthenticated attackers can bypass authorization checks in the FsBrowseClean component's deletefile function of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 by manipulating the dir/path argument, enabling unauthorized file deletion. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability combines several high-risk indicators: CVSS 6.9 with network attack vector and no required privileges (PR:N) confirms remote unauthenticated exploitability; CVSS vector shows integrity impact (VI:L) and availability impact (VA:L), indicating file system manipulation capability; publicly available exploit code (E:P) removes the barrier to exploitation; and vendor non-response indicates no official remediation pathway. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker on the network sends a crafted HTTP/S request or direct protocol message to the FsBrowseClean component, providing a malicious dir/path parameter that targets a critical system file or configuration. The vulnerable deletefile function processes the request without verifying the attacker's authorization, resulting in unauthorized deletion of the targeted file. …
Remediation	No vendor-released patch identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5574 vulnerability details – vuln.today

Back