Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (SamsungMobile) · only source for this CVE.
CVSS VectorVendor: SamsungMobile
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensitive information.
AnalysisAI
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
Samsung Plus TV is a smart TV application platform developed by Samsung Mobile (CPE: cpe:2.3:a:samsung_mobile:samsung_plus_tv:*:*:*:*:*:*:*:*). The root cause is improper input validation (no specific CWE was assigned, but the pattern aligns with CWE-20: Improper Input Validation), where the application fails to adequately sanitize or verify externally supplied input over a network channel. The CVSS 4.0 framework's separation of vulnerable component (VC/VI/VA) versus subsequent system (SC/SI/SA) impacts indicates the flaw likely allows the attacker to leverage Samsung Plus TV as a pivot point - the insufficiently validated input triggers behavior that reaches beyond the app's own process boundary into the underlying TV operating system or shared platform services.
RemediationAI
Update Samsung Plus TV to version 1.0.28.6 or later, as confirmed by Samsung Mobile's June 2026 security bulletin at https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 and the EUVD-2026-34807 advisory. On supported Samsung smart TV platforms, this update may be available through the TV's built-in app store or system software update mechanism - users should navigate to Settings and check for application and firmware updates. As a compensating control where immediate patching is not possible, restricting the Samsung Plus TV device's network access to trusted VLANs or disabling the application until the update is applied would reduce exposure, though this trades off against the intended streaming functionality. No vendor-documented workarounds are available in the referenced advisories beyond applying the patch.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34807
GHSA-9hqx-pxcx-hj4w