CVE-2026-9037 CRITICAL

CVE-2026-9037: Download of code without integrity check in XCharge C6

Vendor Xcharge
Product C6
Weakness CWE-494 · Download without integrity check
Published May 28, 2026
Last update May 29, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated