Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0.
AnalysisAI
Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).
Triofox versions before 16.7.10368.56560 contain an improper access control flaw allowing access to initial setup pages
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll,
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.d
Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote,
Information disclosure via path traversal in Gladinet Triofox lets remote unauthenticated attackers read arbitrary files
Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32646
GHSA-f7wq-cj78-r6c9