Skip to main content

Cashdro 3 Administration Panel

2 CVEs product

Monthly

CVE-2026-8077 HIGH PATCH This Week

Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.

Authentication Bypass Cashdro 3 Administration Panel
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-8076 CRITICAL PATCH Act Now

Brute-force authentication bypass in CashDro 3 web administration panel 24.01.00.26 enables remote unauthenticated attackers to gain full administrative access. The system accepts numeric PINs without account lockout mechanisms, a legacy design from 2012 POS integrations. Successful exploitation grants access to confidential configuration settings with high impact to confidentiality and integrity (CVSS 9.3). No public exploit identified at time of analysis, though exploitation is trivial given the vulnerability class. Patch available per vendor advisory from INCIBE.

Authentication Bypass Cashdro 3 Administration Panel
NVD
CVSS 4.0
9.3
EPSS
0.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.

Authentication Bypass Cashdro 3 Administration Panel
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Brute-force authentication bypass in CashDro 3 web administration panel 24.01.00.26 enables remote unauthenticated attackers to gain full administrative access. The system accepts numeric PINs without account lockout mechanisms, a legacy design from 2012 POS integrations. Successful exploitation grants access to confidential configuration settings with high impact to confidentiality and integrity (CVSS 9.3). No public exploit identified at time of analysis, though exploitation is trivial given the vulnerability class. Patch available per vendor advisory from INCIBE.

Authentication Bypass Cashdro 3 Administration Panel
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy