Skip to main content

Home Flex

3 CVEs product

Monthly

CVE-2026-4157 HIGH This Week

Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.

RCE Command Injection Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.2%
CVE-2026-4156 HIGH This Week

Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.

RCE Buffer Overflow Stack Overflow Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.1%
CVE-2026-4155 HIGH This Week

Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.

Information Disclosure Home Flex
NVD VulDB
CVSS 3.0
7.5
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution via command injection in ChargePoint Home Flex electric vehicle charging stations allows unauthenticated network-adjacent attackers to execute arbitrary commands as root. The vulnerability resides in the revssh service's handling of OCPP (Open Charge Point Protocol) messages, where unsanitized user-supplied strings are passed directly to system calls. No authentication is required, but the attacker must be on the same network segment as the charging device. No public exploit identified at time of analysis.

RCE Command Injection Home Flex
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Stack-based buffer overflow in ChargePoint Home Flex electric vehicle chargers enables network-adjacent attackers to execute arbitrary code as root via malformed OCPP messages. Unauthenticated exploitation allows complete device compromise through improper length validation in OCPP getpreq message handling. Attack complexity is high (CVSS AC:H), requiring local network access. No public exploit identified at time of analysis.

RCE Buffer Overflow Stack Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Hardcoded cryptographic seed disclosure in ChargePoint Home Flex charging stations enables unauthenticated remote attackers to extract stored credentials via the genpw script. The vulnerability exposes a secret seed value embedded directly in source code, allowing attackers to decrypt or regenerate passwords for further system compromise. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network access with high confidentiality impact.

Information Disclosure Home Flex
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy