What is the CVSS score of EUVD-2026-29499?

EUVD-2026-29499 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of nexent are affected by EUVD-2026-29499?

Nexent v1.7.5.2 contains a critical unauthenticated remote vulnerability (CVE-2026-31215) allowing attackers to delete arbitrary documents from ElasticSearch and MinIO storage without authentication.

How to fix or mitigate EUVD-2026-29499?

Within 24 hours: Identify all Nexent v1.7.5.2 instances in your environment and immediately take them offline or restrict network access to trusted sources only. Within 7 days: Apply network segmentation-allow DELETE requests only from authenticated internal services; implement WAF rules to block DELETE /{index_name}/documents requests from untrusted networks. Within 30 days: Contact Nexent for patched version availability; if unavailable, evaluate migration to a patched alternative or implement API gateway authentication enforcement upstream of Nexent.

nexent EUVD-2026-29499

| CVE-2026-31215 CRITICAL

Files or Directories Accessible to External Parties (CWE-552)

2026-05-12 mitre

GHSA-wm59-m58r-x983

Denial Of Service Information Disclosure Path Traversal Elastic

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 13, 2026 - 15:54 vuln.today

CVSS changed

May 13, 2026 - 15:52 NVD

9.1 (CRITICAL)

CVE Published

May 12, 2026 - 00:00 nvd

CRITICAL 9.1

CVE Published

May 12, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionNVD

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.

AnalysisAI

{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. …

RemediationAI

{index_name}/documents requests from untrusted networks. Within 30 days: Contact Nexent for patched version availability; if unavailable, evaluate migration to a patched alternative or implement API gateway authentication enforcement upstream of Nexent.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-42398 HIGH This Week

7.7 May 28

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-42399 MEDIUM This Month

6.5 May 28

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc

CVE-2026-42400 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a

CVE-2026-49094 MEDIUM This Month

6.5 May 28

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level

EUVD-2026-29499 vulnerability details – vuln.today

Back

nexent EUVD-2026-29499

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code