{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1950", "assignerOrgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "state": "PUBLISHED", "assignerShortName": "Deltaww", "dateReserved": "2026-02-05T05:43:00.436Z", "datePublished": "2026-04-24T05:56:52.385Z", "dateUpdated": "2026-04-24T15:27:45.198Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "shortName": "Deltaww", "dateUpdated": "2026-04-24T06:00:06.239Z"}, "title": "No checking of the length of the buffer with the file name in AS320T", "datePublic": "2026-04-24T05:26:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100: Overflow Buffers"}]}], "affected": [{"vendor": "DeltaWW", "product": "AS320T", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.14", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deltaww:as320t:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "1.14"}]}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability."}]}], "references": [{"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Upgrade firmware to v1.16 or later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade firmware to v1.16 or later<br>"}]}], "credits": [{"lang": "en", "value": "Sergey Fedonin and Ivan Kurnakov (Positive Technologies)", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T15:27:30.485037Z", "id": "CVE-2026-1950", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:27:45.198Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1950", "assignerOrgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "state": "PUBLISHED", "assignerShortName": "Deltaww", "dateReserved": "2026-02-05T05:43:00.436Z", "datePublished": "2026-04-24T05:56:52.385Z", "dateUpdated": "2026-04-24T15:27:45.198Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "759f5e80-c8e1-4224-bead-956d7b33c98b", "shortName": "Deltaww", "dateUpdated": "2026-04-24T06:00:06.239Z"}, "title": "No checking of the length of the buffer with the file name in AS320T", "datePublic": "2026-04-24T05:26:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100: Overflow Buffers"}]}], "affected": [{"vendor": "DeltaWW", "product": "AS320T", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.14", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:deltaww:as320t:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "1.14"}]}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability."}]}], "references": [{"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Upgrade firmware to v1.16 or later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade firmware to v1.16 or later<br>"}]}], "credits": [{"lang": "en", "value": "Sergey Fedonin and Ivan Kurnakov (Positive Technologies)", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T15:27:30.485037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T15:27:40.305Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:deltaww:as320t_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC2A0FA6-0941-49B4-BBDD-D4D7E886D4E6", "versionEndExcluding": "1.16", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:deltaww:as320t:-:*:*:*:*:*:*:*", "matchCriteriaId": "207554E0-1FF1-4F4A-AE19-C8F77D3A38D9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Delta Electronics AS320T has \nNo checking of the length of the buffer with the file name vulnerability."}], "id": "CVE-2026-1950", "lastModified": "2026-05-11T17:42:40.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "type": "Secondary"}]}, "published": "2026-04-24T07:16:08.523", "references": [{"source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "tags": ["Vendor Advisory"], "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf"}], "sourceIdentifier": "759f5e80-c8e1-4224-bead-956d7b33c98b", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "759f5e80-c8e1-4224-bead-956d7b33c98b", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "AS320T", "source": "cna", "vendor": "DeltaWW"}, "product": "as320t", "vendor": "deltaww"}], "analysis": {"en": {"generated_at": "2026-04-28T14:24:12.407920+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware to version 1.16 or later as provided by Delta Electronics.", "Restrict network access to the AS320T device so that only trusted hosts can submit file names, and monitor traffic for anomalous requests.", "If a firmware upgrade is not immediately possible, place the device behind a firewall or network segment that limits exposure to potential attackers and subject it to rigorous logging and alerting for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerable devices are Delta Electronics AS320T network storage units. Firmware versions earlier than 1.16 lack the necessary length check for file names and are affected. Upgrade to firmware v1.16 or later resolves the issue.", "description_and_impact": "Delta Electronics AS320T firmware contains a buffer overflow flaw caused by the lack of length checking when processing file names. The overflow can corrupt the stack, allowing an attacker to execute arbitrary code or raise privileges.\n\nThe vulnerability is present in AS320T devices running firmware prior to version 1.16. No explicit version range is listed beyond the recommendation to upgrade.\n\nThe CVSS score of 9.8 indicates a high severity, while the EPSS < 1% suggests that exploitation is currently rare or not widely observed. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the overflow by sending a specially crafted file name to the device, potentially from a remote source if the device accepts user\u2011supplied files.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. The EPSS < 1% suggests a low likelihood of exploitation. The vulnerability is not referenced in the CISA KEV catalog. Attackers would need to deliver a malicious file name to the AS320T, possibly over a network interface that accepts file uploads, to trigger the buffer overflow and potentially gain arbitrary code execution with device privileges."}}}}, "created": "2026-04-28T04:30:20.928619+00:00", "updated": "2026-04-28T14:30:33.761508+00:00", "vendors": ["deltaww", "deltaww$PRODUCT$as320t"]}