CVE-2026-9039 HIGH

CVE-2026-9039: Initialization of a resource with an insecure default in XCharge C6

Vendor Xcharge
Product C6
Weakness CWE-1188
Published May 28, 2026
Last update May 29, 2026

CVSS base score

8.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated