{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7001", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-24T20:17:23.235Z", "datePublished": "2026-04-25T21:15:13.581Z", "dateUpdated": "2026-04-27T13:29:36.608Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T21:15:13.581Z"}, "title": "Datacom DM4100 Ethernet Configuration cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Datacom", "product": "DM4100", "versions": [{"version": "1.3.6.1.4.1.3709", "status": "affected"}], "modules": ["Ethernet Configuration Page"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-24T22:22:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Havook (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359560", "name": "VDB-359560 | Datacom DM4100 Ethernet Configuration cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359560/cti", "name": "VDB-359560 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797368", "name": "Submit #797368 | datacom DM4100 1.3.6.1.4.1.3709 Cross Site Scripting", "tags": ["third-party-advisory"]}]}, "adp": [{"references": [{"url": "https://vuldb.com/submit/797368", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:29:27.475858Z", "id": "CVE-2026-7001", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:29:36.608Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7001", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:29:27.475858Z"}}}], "references": [{"url": "https://vuldb.com/submit/797368", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:27:54.354Z"}}], "cna": {"title": "Datacom DM4100 Ethernet Configuration cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Havook (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Datacom", "modules": ["Ethernet Configuration Page"], "product": "DM4100", "versions": [{"status": "affected", "version": "1.3.6.1.4.1.3709"}]}], "timeline": [{"lang": "en", "time": "2026-04-24T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-24T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-24T22:22:36.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359560", "name": "VDB-359560 | Datacom DM4100 Ethernet Configuration cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359560/cti", "name": "VDB-359560 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/797368", "name": "Submit #797368 | datacom DM4100 1.3.6.1.4.1.3709 Cross Site Scripting", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T21:15:13.581Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7001", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:29:36.608Z", "dateReserved": "2026-04-24T20:17:23.235Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-25T21:15:13.581Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-7001", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-25T22:16:19.647", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/797368"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359560"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359560/cti"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://vuldb.com/submit/797368"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.3.6.1.4.1.3709"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DM4100", "source": "cna", "vendor": "Datacom"}, "product": "dm4100", "vendor": "datacom"}], "analysis": {"en": {"generated_at": "2026-04-28T05:27:51.603879+00:00", "value": {"mitigation_remediation": ["Enable authentication and role\u2011based access control on the DM4100 web console, ensuring only authorized administrators can access the Ethernet Configuration Page.", "Limit exposure of the management interface by restricting allowed IP ranges or VPN access and blocking all other traffic to the device\u2019s management port.", "If a firmware update that removes the XSS flaw is not available, consider disabling the Ethernet Configuration feature or replacing the device with a newer model that includes the patch."], "summary": {"action": "Assess Impact", "impact": "Cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "The affected device is the Datacom DM4100 running firmware 1.3.6.1.4.1.3709. No other vendors, products, or versions have been reported as impacted in the CVE record. The vulnerable component is the Ethernet Configuration Page of this firmware.", "description_and_impact": "The vulnerability is a cross\u2011site scripting flaw in the Ethernet Configuration Page of Datacom DM4100. Manipulating the Name argument allows a remote attacker to inject and execute arbitrary script in the web interface, potentially hijacking user sessions, stealing credentials, or defacing the management portal. The weakness is reflected by CWE\u201179 and CWE\u201194, and an exploit that is publicly available has already been circulating. The vendor did not respond to disclosure, leaving no official fix public.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the flaw is exploitable remotely via a crafted web request to the configuration interface, requiring only network connectivity to the device\u2019s management port. If exploited, an attacker could execute scripts with the privileges of the web interface, affecting confidentiality, integrity, and availability of the device\u2019s configuration and potentially the broader network."}}}}, "created": "2026-04-27T19:52:39.151570+00:00", "updated": "2026-04-28T05:30:23.369520+00:00", "vendors": ["datacom", "datacom$PRODUCT$dm4100"]}