{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2752", "assignerOrgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "state": "PUBLISHED", "assignerShortName": "MHV", "dateReserved": "2026-02-19T14:48:27.721Z", "datePublished": "2026-03-06T15:04:20.840Z", "dateUpdated": "2026-03-10T15:48:32.979Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "shortName": "MHV", "dateUpdated": "2026-03-10T15:48:32.979Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "affected": [{"vendor": "Navtor", "product": "NavBox", "versions": [{"status": "affected", "version": "4.12.0.3"}, {"status": "unaffected", "version": "4.16.2.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.</p>"}]}], "references": [{"url": "https://cydome.io/vulnerability-advisory-cve-2026-2752-in-navtor-navbox-version-4-12-0-3", "tags": ["technical-description"]}, {"url": "https://www.navtor.com/navtor-vendor-statement", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Cydome Security Ltd", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T15:22:21.078120Z", "id": "CVE-2026-2752", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:22:32.547Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2752", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T15:22:21.078120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:22:26.593Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Cydome Security Ltd"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information Disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Navtor", "product": "NavBox", "versions": [{"status": "affected", "version": "4.12.0.3"}, {"status": "unaffected", "version": "4.16.2.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cydome.io/vulnerability-advisory-cve-2026-2752-in-navtor-navbox-version-4-12-0-3", "tags": ["technical-description"]}, {"url": "https://www.navtor.com/navtor-vendor-statement", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.", "supportingMedia": [{"type": "text/html", "value": "<p>Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "shortName": "MHV", "dateUpdated": "2026-03-10T15:48:32.979Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2752", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:48:32.979Z", "dateReserved": "2026-02-19T14:48:27.721Z", "assignerOrgId": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "datePublished": "2026-03-06T15:04:20.840Z", "assignerShortName": "MHV"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and third-party library references (e.g., System.Data.SQLite), which may assist attackers in mapping the application's internal structure."}, {"lang": "es", "value": "Navtor NavBox permite la revelaci\u00f3n de informaci\u00f3n a trav\u00e9s del endpoint /api/ais-data. Un atacante remoto y no autenticado puede enviar solicitudes manipuladas para desencadenar una excepci\u00f3n no controlada, lo que provoca que el servidor devuelva trazas de pila .NET detalladas. Estos mensajes de error exponen nombres de clases internas, llamadas a m\u00e9todos y referencias a librer\u00edas de terceros (p. ej., System.Data.SQLite), lo que puede ayudar a los atacantes a mapear la estructura interna de la aplicaci\u00f3n."}], "id": "CVE-2026-2752", "lastModified": "2026-03-10T18:18:49.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary"}]}, "published": "2026-03-06T15:16:10.987", "references": [{"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "url": "https://cydome.io/vulnerability-advisory-cve-2026-2752-in-navtor-navbox-version-4-12-0-3"}, {"source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "url": "https://www.navtor.com/navtor-vendor-statement"}], "sourceIdentifier": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "56a186b1-7f5e-4314-ba38-38d5499fccfd", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.12.0.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.16.2.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NavBox", "source": "cna", "vendor": "Navtor"}, "product": "navbox", "vendor": "navtor"}], "analysis": {"en": {"generated_at": "2026-04-17T12:19:37.720399+00:00", "value": {"mitigation_remediation": ["Upgrade NavBox to a version with the exception handling fix.", "Configure the application to suppress detailed stack traces in production environments by setting appropriate error\u2011handling options.", "Restrict or throttle access to the /api/ais-data endpoint, for example by implementing authentication or firewall rules."], "summary": {"action": "Assess Impact", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Navtor NavBox; no specific affected versions are listed in the CVE payload.", "description_and_impact": "NavBox\u2019s /api/ais-data endpoint is vulnerable to an unhandled exception that returns verbose .NET stack traces when a remote attacker sends crafted requests. The resulting error messages reveal internal class names, method calls, and third\u2011party library references such as System.Data.SQLite, thereby exposing the application\u2019s internal structure. This behavior corresponds to an information\u2011disclosure weakness (CWE\u2011209).", "risk_and_exploitability": "The CVSS score of 5.3 places this vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation is possible over the network by any host capable of issuing HTTP requests to the /api/ais-data endpoint; authentication is not required."}}}}, "created": "2026-03-09T10:07:31.826576+00:00", "title": "Information Disclosure via Verbose .NET Stack Traces in NavBox /api/ais-data", "updated": "2026-04-17T12:30:06.223344+00:00", "vendors": ["navtor", "navtor$PRODUCT$navbox"]}