CVE-2026-41446 CRITICAL

CVE-2026-41446: WattBox 800 & 820 Series < 2.10.0.0 RCE via Diagnostic Endpoints

Vendor Snap One, Llc
Product WattBox 800
Weakness CWE-912
Published April 28, 2026
Last update May 14, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

Key dates

02Disclosure timeline

April 28, 2026 CVE published
May 14, 2026 Record updated