CVE-2026-11596

{"id": "CVE-2026-11596", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-11596", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-10T18:18:34.629863Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}]}, "affected": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "affectedData": [{"vendor": "ConnectWise", "modules": ["Host Pass"], "product": "ScreenConnect", "versions": [{"status": "affected", "version": "All versions prior to 26.2"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-10T18:16:40.113", "references": [{"url": "https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "description": [{"lang": "en", "value": "CWE-1284"}]}], "descriptions": [{"lang": "en", "value": "In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens."}], "lastModified": "2026-06-17T10:14:15.550", "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49"}