{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24728", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "state": "PUBLISHED", "assignerShortName": "ZUSO ART", "dateReserved": "2026-01-26T07:42:53.160Z", "datePublished": "2026-01-30T03:48:28.100Z", "dateUpdated": "2026-01-30T18:19:12.243Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "DreamMaker", "vendor": "Internet Information Co., Ltd", "versions": [{"lessThan": "2025/10/22", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2026-01-30T03:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication."}], "value": "A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2026-01-30T03:48:28.100Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://zuso.ai/advisory/za-2026-01"}], "source": {"discovery": "UNKNOWN"}, "title": "Interinfo DreamMaker - Missing Authentication for Critical Function", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T18:18:31.108971Z", "id": "CVE-2026-24728", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:19:12.243Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T18:18:31.108971Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:19:08.188Z"}}], "cna": {"title": "Interinfo DreamMaker - Missing Authentication for Critical Function", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Internet Information Co., Ltd", "product": "DreamMaker", "versions": [{"status": "affected", "version": "0", "lessThan": "2025/10/22", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2026-01-30T03:44:00.000Z", "references": [{"url": "https://zuso.ai/advisory/za-2026-01", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.", "supportingMedia": [{"type": "text/html", "value": "A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2026-01-30T03:48:28.100Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24728", "state": "PUBLISHED", "dateUpdated": "2026-01-30T18:19:12.243Z", "dateReserved": "2026-01-26T07:42:53.160Z", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "datePublished": "2026-01-30T03:48:28.100Z", "assignerShortName": "ZUSO ART"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autenticaci\u00f3n para funci\u00f3n cr\u00edtica en el endpoint /servlet/baServer3 de las versiones de Interinfo DreamMaker anteriores al 22/10/2025 permite a atacantes remotos acceder a la funcionalidad administrativa expuesta sin autenticaci\u00f3n previa."}], "id": "CVE-2026-24728", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ART@zuso.ai", "type": "Secondary"}]}, "published": "2026-01-30T05:16:33.347", "references": [{"source": "ART@zuso.ai", "url": "https://zuso.ai/advisory/za-2026-01"}], "sourceIdentifier": "ART@zuso.ai", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ART@zuso.ai", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:14:39.497027+00:00", "value": {"mitigation_remediation": ["Upgrade to a patch or release issued after 2025\u201110\u201122 that fixes the missing authentication flaw.", "If an immediate upgrade is not feasible, restrict network reach to the /servlet/baServer3 endpoint to trusted IP addresses or internal networks only.", "Implement web application firewall rules or intrusion detection signatures to block or alert on unauthorized access attempts to the vulnerable endpoint."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Administrative Access"}, "threat_synthesis": {"affected_systems": "Internet Information Co., Ltd DreamMaker versions released before 2025\u201110\u201122 are affected. Any deployment of these versions is vulnerable until a patch or workaround is applied.", "description_and_impact": "A missing authentication check in the /servlet/baServer3 endpoint of Interinfo DreamMaker allows remote attackers to invoke critical administrative functions without any prior login. This flaw can lead to full administrator privileges, enabling the attacker to modify configurations, access sensitive data, or take control of the system, as reflected in the 9.3 CVSS score and its classification under CWE-306.", "risk_and_exploitability": "The vulnerability carries a high severity CVSS score of 9.3 but has an extremely low EPSS probability (< 1%). It is not listed in the CISA KEV catalog, indicating no publicly known exploits at the time of reporting. The likely attack vector is remote network access to the vulnerable HTTP endpoint, where an attacker can send crafted requests to exploit the missing authentication guard."}}}}, "created": "2026-01-30T08:42:16.033588+00:00", "updated": "2026-04-18T01:15:05.997624+00:00", "vendors": ["interinfo", "interinfo$PRODUCT$dreammaker"]}