CVE-2026-31849 HIGH

CVE-2026-31849: Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+

Vendor Nexxt Solutions
Product Nebula 300+
Weakness CWE-352 · CSRF
Published March 23, 2026
Last update March 26, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
March 26, 2026 Record updated

Related vulnerabilities

04Related CVE