Skip to main content

Com Meari Sdk

2 CVEs product

Monthly

CVE-2026-33361 HIGH This Week

Weak XOR obfuscation in Meari IoT SDK's libmrplayer.so library enables remote unauthenticated attackers to decrypt baby monitor image snapshots from CloudEdge 5.5.0, Arenti 1.8.1, and white-label apps (versions ≤1.8.x). The '.jpgx3' file format applies reversible XOR encryption only to the first 1024 bytes using a predictable key derivation model, exposing confidential video surveillance imagery. EPSS data unavailable; no CISA KEV listing or public exploit code confirmed, though proof-of-concept research published by runZero demonstrates practical decryption. CVSS 7.5 reflects HIGH confidentiality impact with network-accessible attack surface requiring no authentication.

Information Disclosure Com Meari Sdk
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33357 HIGH This Week

Server-side authorization bypass in Meari SDK (com.meari.sdk) exposes WAN IP addresses of arbitrary IoT devices to unauthenticated remote attackers. Affects CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label applications ≤1.8.x that embed the SDK. Attackers can enumerate device IPs by exploiting the openapi-euce.mearicloud.com endpoint without authentication (CVSS AV:N/PR:N), enabling reconnaissance for targeted attacks against exposed cameras and IoT infrastructure. EPSS data not available; no CISA KEV listing at time of analysis. Public vulnerability disclosure with technical details published by runZero.

Authentication Bypass Com Meari Sdk
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

Weak XOR obfuscation in Meari IoT SDK's libmrplayer.so library enables remote unauthenticated attackers to decrypt baby monitor image snapshots from CloudEdge 5.5.0, Arenti 1.8.1, and white-label apps (versions ≤1.8.x). The '.jpgx3' file format applies reversible XOR encryption only to the first 1024 bytes using a predictable key derivation model, exposing confidential video surveillance imagery. EPSS data unavailable; no CISA KEV listing or public exploit code confirmed, though proof-of-concept research published by runZero demonstrates practical decryption. CVSS 7.5 reflects HIGH confidentiality impact with network-accessible attack surface requiring no authentication.

Information Disclosure Com Meari Sdk
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Server-side authorization bypass in Meari SDK (com.meari.sdk) exposes WAN IP addresses of arbitrary IoT devices to unauthenticated remote attackers. Affects CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label applications ≤1.8.x that embed the SDK. Attackers can enumerate device IPs by exploiting the openapi-euce.mearicloud.com endpoint without authentication (CVSS AV:N/PR:N), enabling reconnaissance for targeted attacks against exposed cameras and IoT infrastructure. EPSS data not available; no CISA KEV listing at time of analysis. Public vulnerability disclosure with technical details published by runZero.

Authentication Bypass Com Meari Sdk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy