{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5794", "assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "state": "PUBLISHED", "assignerShortName": "THA-PSIRT", "dateReserved": "2026-04-08T13:20:07.168Z", "datePublished": "2026-04-28T17:09:55.609Z", "dateUpdated": "2026-04-29T14:06:08.155Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "shortName": "THA-PSIRT", "dateUpdated": "2026-04-29T14:06:08.155Z"}, "title": "Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout", "datePublic": "2026-04-29T14:04:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-694", "description": "CWE-694 Use of multiple resources with duplicate identifier", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-2", "descriptions": [{"lang": "en", "value": "CAPEC-2 Inducing Account Lockout"}]}], "affected": [{"vendor": "Ercom", "product": "Cryptobox", "modules": ["Cryptobox server"], "versions": [{"status": "unaffected", "version": "4.40.175"}, {"status": "unaffected", "version": "4.37.237", "lessThan": "4.38.0", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A vulnerability affecting the detailed versions of\u00a0Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."}]}], "references": [{"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T18:33:48.530783Z", "id": "CVE-2026-5794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T18:33:57.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T18:33:48.530783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T18:33:53.379Z"}}], "cna": {"title": "Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-2", "descriptions": [{"lang": "en", "value": "CAPEC-2 Inducing Account Lockout"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ercom", "modules": ["Cryptobox server"], "product": "Cryptobox", "versions": [{"status": "unaffected", "version": "4.40.175"}, {"status": "unaffected", "version": "4.37.237", "lessThan": "4.38.0", "versionType": "semver"}], "defaultStatus": "affected"}], "datePublic": "2026-04-29T14:04:00.000Z", "references": [{"url": "https://info.cryptobox.com/doc/v4.40/4.40.en/", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A vulnerability affecting the detailed versions of\u00a0Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-694", "description": "CWE-694 Use of multiple resources with duplicate identifier"}]}], "providerMetadata": {"orgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "shortName": "THA-PSIRT", "dateUpdated": "2026-04-29T14:06:08.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5794", "state": "PUBLISHED", "dateUpdated": "2026-04-29T14:06:08.155Z", "dateReserved": "2026-04-08T13:20:07.168Z", "assignerOrgId": "9d5917ae-205d-4ae5-8749-1f49479b1395", "datePublished": "2026-04-28T17:09:55.609Z", "assignerShortName": "THA-PSIRT"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability affecting the detailed versions of\u00a0Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request."}], "id": "CVE-2026-5794", "lastModified": "2026-04-28T20:10:23.367", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@thalesgroup.com", "type": "Secondary"}]}, "published": "2026-04-28T19:37:47.390", "references": [{"source": "psirt@thalesgroup.com", "url": "https://info.cryptobox.com/doc/v4.40/4.40.en/"}], "sourceIdentifier": "psirt@thalesgroup.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-694"}], "source": "psirt@thalesgroup.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.40.175"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.37.237,4.38.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Cryptobox", "source": "cna", "vendor": "Ercom"}, "product": "cryptobox", "vendor": "ercom"}], "analysis": {"en": {"generated_at": "2026-04-28T23:14:20.640665+00:00", "value": {"mitigation_remediation": ["Upgrade Cryptobox to version 4.40.177 or later.", "Limit the ability to trigger account lockouts to users with appropriate administrative privileges.", "Enable monitoring of lockout events and alert administrators when abnormal lockout attempts are detected."], "summary": {"action": "Apply Patch", "impact": "Account lockout denial of service"}, "threat_synthesis": {"affected_systems": "Ercom Cryptobox, versions before 4.40.177 are vulnerable. The issue is reported for version 4.40.175 and any earlier detailed releases that have not applied the fix.", "description_and_impact": "A legitimate authenticated user can send a specially crafted request that forces another user account into a lockout state, preventing that account from logging in. This results in a denial of service for the targeted users and can degrade the overall availability of the Cryptobox service.", "risk_and_exploitability": "The CVSS score of 4.9 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated session within Cryptobox and involves sending a crafted request; remote code execution or privilege escalation are not supported by the current description."}}}}, "created": "2026-04-28T22:00:13.370450+00:00", "updated": "2026-04-28T23:15:43.859431+00:00", "vendors": ["ercom", "ercom$PRODUCT$cryptobox"]}