{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1341", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-01-22T15:06:19.135Z", "datePublished": "2026-02-03T21:26:41.708Z", "dateUpdated": "2026-02-04T16:47:32.531Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Avation Light Engine Pro", "vendor": "Avation", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar reported this vulnerability to CISA"}], "datePublic": "2026-02-03T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.</span>"}], "value": "Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-03T21:26:41.708Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(245, 250, 252);\">Avation has not responded to CISA's request to coordinate. Users of Avation Light Engine Pro are encouraged to contact Avation for more information.</span>\n\n<br>"}], "value": "Avation has not responded to CISA's request to coordinate. Users of Avation Light Engine Pro are encouraged to contact Avation for more information."}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authentication for Critical Function in Avation Light Engine Pro", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:46:08.187019Z", "id": "CVE-2026-1341", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:47:32.531Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T16:46:08.187019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:47:20.974Z"}}], "cna": {"title": "Missing Authentication for Critical Function in Avation Light Engine Pro", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Souvik Kandar reported this vulnerability to CISA"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Avation", "product": "Avation Light Engine Pro", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Avation has not responded to CISA's request to coordinate. Users of Avation Light Engine Pro are encouraged to contact Avation for more information.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(245, 250, 252);\">Avation has not responded to CISA's request to coordinate. Users of Avation Light Engine Pro are encouraged to contact Avation for more information.</span>\n\n<br>", "base64": false}]}], "datePublic": "2026-02-03T17:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-02-03T21:26:41.708Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1341", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:47:32.531Z", "dateReserved": "2026-01-22T15:06:19.135Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2026-02-03T21:26:41.708Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control."}, {"lang": "es", "value": "Avation Light Engine Pro expone su interfaz de configuraci\u00f3n y control sin ninguna autenticaci\u00f3n o control de acceso."}], "id": "CVE-2026-1341", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-02-03T22:16:29.517", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:00:26.094623+00:00", "value": {"mitigation_remediation": ["Contact Avation for a remediation plan and request a patch to enforce authentication on the control interface.", "Restrict access to the configuration interface using firewall rules or network segmentation to limit exposure to trusted hosts only.", "Implement a VPN or IP whitelisting mechanism to provide temporary authentication until a vendor\u2011provided solution is applied."], "summary": {"action": "Contact Vendor", "impact": "Unauthorized access to configuration and control interface"}, "threat_synthesis": {"affected_systems": "The only affected product identified by the CNA is Avation Light Engine Pro from Avation. No specific version range is reported, so all installations of the product are potentially vulnerable unless the vendor confirms a fix for a particular release.", "description_and_impact": "Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. This lack of authentication (CWE\u2011306) allows an attacker to read or modify the engine\u2019s settings, effectively compromising the confidentiality, integrity, and availability of the device. The exposed interface can be used to alter operational parameters or to initiate actions that are normally restricted to authorized users.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.3, indicating a high severity level, but the EPSS score is less than 1\u202fpercent, suggesting a low probability of exploitation at this time. The issue is not listed in CISA\u2019s KEV catalog, implying no confirmed active exploitation. A likely attack vector is remote, inferred from the description that the configuration interface is exposed over a network. An attacker who can reach the interface would be able to perform unauthorized actions until a vendor remediation is applied."}}}}, "created": "2026-02-04T12:05:54.292511+00:00", "updated": "2026-04-18T00:15:31.766910+00:00", "vendors": ["avation", "avation$PRODUCT$light_engine_pro"]}