CVE-2026-2331 CRITICAL

CVE-2026-2331: CVE-2026-2331

Vendor Sick Ag
Product SICK Lector85x
Weakness CWE-552 · Files accessible externally
Published March 6, 2026
Last update March 9, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated

Related vulnerabilities

04Related CVE