Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.
AnalysisAI
Code injection via Websocket API in AV Stumpfl Pixera Two Media Server ≤25.2 R2 allows unauthenticated remote attackers to execute arbitrary code with low complexity. Publicly available exploit code (GitHub Gist) enables network-based compromise with partial impact to confidentiality, integrity, and availability (CVSS:3.1/C:L/I:L/A:L). Vendor-released patch version 25.2 R3 addresses the vulnerability. Despite network vector and proof-of-concept availability, no CISA KEV listing or EPSS data indicates limited observed exploitation at time of analysis.
Technical ContextAI
The vulnerability affects AV Stumpfl Pixera Two Media Server, a professional media server solution for live events and installations. The flaw resides in the Websocket API component and is classified as CWE-94 (Improper Control of Generation of Code / Code Injection), indicating that attacker-controlled input can manipulate code execution contexts within the server. Websocket APIs commonly handle real-time bidirectional communication, and inadequate input sanitization in message handlers can allow injection of executable code fragments. The CPE identifier (cpe:2.3:a:av_stumpfl:pixera_two_media_server:*:*:*:*:*:*:*:*) confirms this is a first-party AV Stumpfl product vulnerability, not a dependency issue. The network attack vector (AV:N) combined with low complexity (AC:L) and no required privileges (PR:N) or user interaction (UI:N) suggests the Websocket endpoint is exposed without authentication or effective input validation on default configurations.
RemediationAI
Upgrade immediately to AV Stumpfl Pixera Two Media Server version 25.2 R3 or later per vendor advisory at https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog. The vendor explicitly recommends upgrading the affected component rather than applying workarounds. For systems where immediate patching is not feasible due to production schedules or testing requirements, implement network segmentation to restrict Websocket API access to trusted management networks only-block external internet access to TCP ports used by Pixera's Websocket service (consult product documentation for default port assignments, typically non-standard high ports). Deploy web application firewall rules to inspect and filter Websocket handshake requests for code injection patterns, though this provides incomplete protection against unknown exploit variants and may cause false positives impacting legitimate control traffic. If the Websocket API is not operationally required, disable the service entirely via Pixera configuration settings-this eliminates attack surface but will break remote control integrations and third-party automation tools. Note that compensating controls do not address the root cause and should be considered temporary risk reduction only until patching is completed.
More in Pixera Two Media Server
View allSame weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26841