Skip to main content

Pixera Two Media Server EUVDEUVD-2026-26841

| CVE-2026-7703 MEDIUM
Code Injection (CWE-94)
2026-05-03 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
May 03, 2026 - 17:22 NVD
HIGH MEDIUM
CVSS changed
May 03, 2026 - 17:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
PoC Detected
May 03, 2026 - 17:16 vuln.today
Public exploit code
Analysis Generated
May 03, 2026 - 17:00 vuln.today
EUVD ID Assigned
May 03, 2026 - 16:30 euvd
EUVD-2026-26841
Analysis Generated
May 03, 2026 - 16:30 vuln.today
Patch released
May 03, 2026 - 16:30 nvd
Patch available
CVE Published
May 03, 2026 - 16:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.

AnalysisAI

Code injection via Websocket API in AV Stumpfl Pixera Two Media Server ≤25.2 R2 allows unauthenticated remote attackers to execute arbitrary code with low complexity. Publicly available exploit code (GitHub Gist) enables network-based compromise with partial impact to confidentiality, integrity, and availability (CVSS:3.1/C:L/I:L/A:L). Vendor-released patch version 25.2 R3 addresses the vulnerability. Despite network vector and proof-of-concept availability, no CISA KEV listing or EPSS data indicates limited observed exploitation at time of analysis.

Technical ContextAI

The vulnerability affects AV Stumpfl Pixera Two Media Server, a professional media server solution for live events and installations. The flaw resides in the Websocket API component and is classified as CWE-94 (Improper Control of Generation of Code / Code Injection), indicating that attacker-controlled input can manipulate code execution contexts within the server. Websocket APIs commonly handle real-time bidirectional communication, and inadequate input sanitization in message handlers can allow injection of executable code fragments. The CPE identifier (cpe:2.3:a:av_stumpfl:pixera_two_media_server:*:*:*:*:*:*:*:*) confirms this is a first-party AV Stumpfl product vulnerability, not a dependency issue. The network attack vector (AV:N) combined with low complexity (AC:L) and no required privileges (PR:N) or user interaction (UI:N) suggests the Websocket endpoint is exposed without authentication or effective input validation on default configurations.

RemediationAI

Upgrade immediately to AV Stumpfl Pixera Two Media Server version 25.2 R3 or later per vendor advisory at https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog. The vendor explicitly recommends upgrading the affected component rather than applying workarounds. For systems where immediate patching is not feasible due to production schedules or testing requirements, implement network segmentation to restrict Websocket API access to trusted management networks only-block external internet access to TCP ports used by Pixera's Websocket service (consult product documentation for default port assignments, typically non-standard high ports). Deploy web application firewall rules to inspect and filter Websocket handshake requests for code injection patterns, though this provides incomplete protection against unknown exploit variants and may cause false positives impacting legitimate control traffic. If the Websocket API is not operationally required, disable the service entirely via Pixera configuration settings-this eliminates attack surface but will break remote control integrations and third-party automation tools. Note that compensating controls do not address the root cause and should be considered temporary risk reduction only until patching is completed.

Share

EUVD-2026-26841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy