{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1949", "assignerOrgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "state": "PUBLISHED", "assignerShortName": "Deltaww", "dateReserved": "2026-02-05T05:42:58.810Z", "datePublished": "2026-04-24T05:50:48.468Z", "dateUpdated": "2026-04-24T15:27:12.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "shortName": "Deltaww", "dateUpdated": "2026-04-24T05:50:48.468Z"}, "title": "Incorrect calculation of buffer size on the stack in AS320T", "datePublic": "2026-04-24T05:26:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-131", "description": "CWE-131 Incorrect Calculation of Buffer Size", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100: Overflow Buffers"}]}], "affected": [{"vendor": "DeltaWW", "product": "AS320T", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.14", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deltaww:as320t:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "1.14"}]}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service."}]}], "references": [{"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Upgrade firmware to v1.16 or later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade firmware to v1.16 or later<br>"}]}], "credits": [{"lang": "en", "value": "Sergey Fedonin and Ivan Kurnakov (Positive Technologies)", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T15:26:55.912129Z", "id": "CVE-2026-1949", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:27:12.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T15:26:55.912129Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:27:03.572Z"}}], "cna": {"title": "Incorrect calculation of buffer size on the stack in AS320T", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Sergey Fedonin and Ivan Kurnakov (Positive Technologies)"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100: Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "DeltaWW", "product": "AS320T", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.14"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade firmware to v1.16 or later", "supportingMedia": [{"type": "text/html", "value": "Upgrade firmware to v1.16 or later<br>", "base64": false}]}], "datePublic": "2026-04-24T05:26:00.000Z", "references": [{"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.", "supportingMedia": [{"type": "text/html", "value": "Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-131", "description": "CWE-131 Incorrect Calculation of Buffer Size"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:as320t:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.14", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "shortName": "Deltaww", "dateUpdated": "2026-04-24T05:50:48.468Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1949", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:27:12.043Z", "dateReserved": "2026-02-05T05:42:58.810Z", "assignerOrgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "datePublished": "2026-04-24T05:50:48.468Z", "assignerShortName": "Deltaww"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:deltaww:as320t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC2A0FA6-0941-49B4-BBDD-D4D7E886D4E6", "versionEndExcluding": "1.16", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:deltaww:as320t:-:*:*:*:*:*:*:*", "matchCriteriaId": "207554E0-1FF1-4F4A-AE19-C8F77D3A38D9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service."}], "id": "CVE-2026-1949", "lastModified": "2026-05-11T17:42:32.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "type": "Secondary"}]}, "published": "2026-04-24T06:16:03.883", "references": [{"source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "tags": ["Vendor Advisory"], "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "sourceIdentifier": "759f5e80-c8e1-4224-bead-956d7b33c98b", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-131"}], "source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.14]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "AS320T", "source": "cna", "vendor": "DeltaWW"}, "product": "as320t", "vendor": "deltaww"}], "analysis": {"en": {"generated_at": "2026-04-28T06:57:10.626093+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware to version v1.16 or later as distributed by DeltaWW.", "If an upgrade cannot be performed immediately, restrict or disable external access to the device\u2019s web service through firewalls or access\u2011control lists.", "Monitor system logs for anomalous activity such as unusual GET/PUT requests that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects DeltaWW AS320T units running firmware versions older than v1.16. No specific older versions are listed, so all firmware prior to v1.16 is considered at risk.", "description_and_impact": "Delta Electronics AS320T suffers from an incorrect buffer size calculation in the GET/PUT request handler of its web service, a classic stack-based buffer overflow flaw identified as CWE-131. The overflow can overwrite control data on the stack, permitting an attacker to inject and execute arbitrary code or crash the service, compromising the device\u2019s confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, yet the EPSS score of less than 1% suggests a very low current exploitation probability. The flaw is not listed in CISA\u2019s KEV catalog, but the remote nature of the web service means an attacker can target the device from the network where the service is exposed. Successful exploitation could grant full control over the device or cause a denial of service."}}}}, "created": "2026-04-27T22:00:15.581369+00:00", "updated": "2026-04-28T07:00:09.535671+00:00", "vendors": ["deltaww", "deltaww$PRODUCT$as320t"]}