{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0842", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-10T09:52:57.730Z", "datePublished": "2026-01-11T08:02:06.221Z", "dateUpdated": "2026-02-23T08:30:28.781Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:30:28.781Z"}, "title": "Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "Flycatcher Toys", "product": "smART Sketcher", "versions": [{"version": "2.0", "status": "affected"}], "modules": ["Bluetooth Low Energy Interface"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-10T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-10T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-12T15:47:33.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "davidrochester (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.340442", "name": "VDB-340442 | Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340442", "name": "VDB-340442 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.729134", "name": "Submit #729134 | Flycatcher Toys smART Sketcher 2.0 0/1/2 Missing Authentication for Critical Function", "tags": ["third-party-advisory"]}, {"url": "https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T17:30:00.435842Z", "id": "CVE-2026-0842", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:50:26.288Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0842", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T17:30:00.435842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:32:05.622Z"}}], "cna": {"title": "Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "davidrochester (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Flycatcher Toys", "modules": ["Bluetooth Low Energy Interface"], "product": "smART Sketcher", "versions": [{"status": "affected", "version": "2.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-10T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-10T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-12T15:47:33.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.340442", "name": "VDB-340442 | Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340442", "name": "VDB-340442 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.729134", "name": "Submit #729134 | Flycatcher Toys smART Sketcher 2.0 0/1/2 Missing Authentication for Critical Function", "tags": ["third-party-advisory"]}, {"url": "https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:30:28.781Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0842", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:30:28.781Z", "dateReserved": "2026-01-10T09:52:57.730Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-11T08:02:06.221Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado un fallo en Flycatcher Toys smART Sketcher hasta la versi\u00f3n 2.0. Esto afecta a una parte desconocida del componente Interfaz Bluetooth de Baja Energ\u00eda. Esta manipulaci\u00f3n provoca ausencia de autenticaci\u00f3n. El ataque solo puede realizarse dentro de la red local. El exploit ha sido publicado y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-0842", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-11T08:16:00.150", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.340442"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.340442"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.729134"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:04:35.016459+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update once the vendor releases a fix for the Bluetooth authentication issue.", "Disable or remove the Bluetooth Low Energy interface on the toy when it is not actively in use.", "Configure network access controls or firewall rules to allow BLE traffic only to authorized MAC addresses.", "Isolate the toy\u2019s network segment from critical infrastructure to limit lateral movement.", "Monitor for unusual BLE traffic or command patterns that could indicate exploitation."], "summary": {"action": "Apply Patch", "impact": "Local Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Flycatcher Toys smART Sketcher devices with firmware versions up to and including 2.0 are affected. No additional product or version information is available in the current report.", "description_and_impact": "This vulnerability arises from missing authentication in an unknown part of Flycatcher Toys smART Sketcher\u2019s Bluetooth Low Energy Interface. An attacker who can position themselves on the same local network can send unauthorized Bluetooth commands to the toy, potentially taking control or causing unintended behavior. The weakness maps to CWE\u2011287 and CWE\u2011306, indicating a failure to properly authenticate requests and enforce security controls. The impact is limited to devices that expose the BLE interface, but any connected user could be affected if the toy is used in an uncontrolled environment.", "risk_and_exploitability": "The CVSS score of 5.3 places the vulnerability in the medium range, while the EPSS score of less than 1\u202f% suggests a very low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be within the local network to exploit the flaw, so exposure is limited to physically or logically proximate devices. Because the vendor has not issued a patch or response, the risk remains present until an official fix is released or mitigated through configuration changes."}}}}, "created": "2026-04-18T07:15:25.849494+00:00", "updated": "2026-04-18T07:15:25.849505+00:00", "vendors": []}