Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates.
AnalysisAI
VINCE versions 3.0.38 and earlier fail to properly verify sender address authenticity due to encoding confusion, allowing unauthenticated remote attackers to forge email From addresses and trigger automated actions such as ticket creation or updates. The vulnerability combines information disclosure with integrity impact, affecting the reliability of ticket management workflows that depend on sender validation.
Technical ContextAI
VINCE (Vulnerability Information and Coordination Engine) is CERT/CC's coordination platform that processes inbound communications to manage vulnerability disclosures. The vulnerability stems from improper validation of RFC 5321 SMTP From addresses, likely involving character encoding edge cases (e.g., homograph attacks, punycode confusion, or MIME header encoding bypass). The flaw allows attackers to manipulate the From address used in automated processing logic, causing the system to misattribute ticket actions to spoofed senders without requiring authentication. This is a logic flaw in email header parsing and address validation routines, categorized under information disclosure due to exposure of ticket operations to unauthorized actors.
RemediationAI
Upgrade VINCE to a version newer than 3.0.38 as soon as it is released by CERT/CC. Until a patched version is available, implement the following compensating controls: (1) Disable automated ticket creation or updates from email sources, requiring manual review and approval of all inbound email-triggered actions - this eliminates the exploit vector but may reduce operational efficiency; (2) Implement email authentication (SPF, DKIM, DMARC) and configure VINCE to reject emails failing authentication checks before processing - this validates sender legitimacy at the SMTP level but requires coordination with your mail infrastructure; (3) Restrict access to VINCE's email ingestion endpoints to a whitelist of trusted mail relays only - this limits attack surface but complicates mail routing for external reporters. Monitor the CERT/CC VINCE advisory page at https://kb.cert.org/vince and the GitHub repository security advisories for patch availability.
An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. Rated medium severity (CVSS 6.1), this
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. Rated high severity (CVSS 8.8), t
VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users. Rated medium severity
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. Rated medium severity (CVSS 5.4), this
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. Rated medium severity (CVSS 5.4), this
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. Rated medium se
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28437
GHSA-v8g3-5j4v-2ghv